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Contact Information 

Blue Coat Systems Inc. 

420 North Mary Ave 
Sunnyvale, CA 94085-4121 

http://www.bluecoat.com/ support/ contactsupport 
http: / / www.bluecoat.com 

For concerns or feedback about the documentation: documentation@bluecoat.com 
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Copyright© 1999-2008 Blue Coat Systems, Inc. All rights reserved worldwide. No part of this document may be reproduced by any means 
nor modified, decompiled, disassembled, published or distributed, in whole or in part, or translated to any electronic medium or other 
means without the written consent of Blue Coat Systems, Inc. All right, title and interest in and to the Software and documentation are and 
shall remain the exclusive property of Blue Coat Systems, Inc. and its licensors. Proxy AV™, CacheOS™, SGOS™, SG™, Spyware 
Interceptor™, Scope™, RA Connector™, RA Manager™, Remote Access™ and MACH5™ are trademarks of Blue Coat Systems, Inc. and 
CacheFlow®, Blue Coat®, Accelerating The Internet®, ProxySG®, WinProxy®, AccessNow®, Ositis®, Powering Internet Management®, 
The Ultimate Internet Sharing Solution®, Cerberian®, Permeo®, Permeo Technologies, Inc.®, and the Cerberian and Permeo logos are 
registered trademarks of Blue Coat Systems, Inc. All other trademarks contained in this document and in the Software are the property of 
their respective owners. 

BLUE COAT SYSTEMS, INC. DISCLAIMS ALL WARRANTIES, CONDITIONS OR OTHER TERMS, EXPRESS OR IMPLIED, 
STATUTORY OR OTHERWISE, ON SOFTWARE AND DOCUMENTATION FURNISHED HEREUNDER INCLUDING WITHOUT 
LIMITATION THE WARRANTIES OF DESIGN, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE AND 
NONINFRINGEMENT. IN NO EVENT SHALL BLUE COAT SYSTEMS, INC., ITS SUPPLIERS OR ITS LICENSORS BE LIABLE FOR 
ANY DAMAGES, WHETHER ARISING IN TORT, CONTRACT OR ANY OTHER LEGAL THEORY EVEN IF BLUE COAT SYSTEMS, 
INC. HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. 

Blue Coat Systems, Inc. utilizes third party software from various sources. Portions of this software are copyrighted by their respective 
owners as indicated in the copyright notices below. 

The following lists the copyright notices for: 

Advanced Software Engineering 

This software is based in part on the work of the Independent JPEG Group. 

This software is based in part of the work of the FreeType Team. 

THE BEER-WARE LICENSE" (Revision 42): 

< phk@FreeBSD.org <mailto:phk@FreeBSD.org >> wrote this file. As long as you retain this notice you can do whatever you want with this stuff. If we 
meet some day, and you think this stuff is worth it, you can buy me a beer in return. Poul-Henning Kamp 

BPF 

Ccopyright (c) 1988, 1989, 1990, 1991, 1992, 1993, 1994, 1995, 1996 
The Regents of the University of California. All rights reserved. 

Redistribution and use in source and binary forms, with or without modification, are permitted provided that: (1) source code distributions retain the 
above copyright notice and this paragraph in its entirety, (2) distributions including binary code include the above copyright notice and this paragraph 
in its entirety in the documentation or other materials provided with the distribution, and (3) all advertising materials mentioning features or use of this 
software display the following acknowledgement: 

This product includes software developed by the University of California, Lawrence Berkeley Laboratory and its contributors. 

Neither the name of the University nor the names of its contributors may be used to endorse or promote products derived from this software without 
specific prior written permission. THIS SOFTWARE IS PROVIDED "AS IS" AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, 
INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. 
Browser Detect 

http: / / creativecommons.org/licenses/by /1.0/ 

DES 

Software DES functions written 12 Dec 1986 by Phil Karn, KA9Q; large sections adapted from the 1977 public-domain program by Jim Gillogly. 

EXPAT 

Copyright (c) 1998, 1999, 2000 Thai Open Source Software Center Ltd. 

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal 
in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/ or sell copies 
of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: 

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. 

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE 
WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF 
CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER 
DEALINGS IN THE SOFTWARE. 

Fin j an Software 

Copyright (c) 2003 Finjan Software, Inc. All rights reserved. 

Flowerfire 

Copyright (c) 1996-2002 Greg Ferrar 
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The FreeType Project LICENSE 

2006-Jan-27 

Copyright 1996-2002, 2006 by David Turner, Robert Wilhelm, and Werner Lemberg 
Introduction 



The FreeType Project is distributed in several archive packages; some of them may contain, in addition to the FreeType font engine, various tools and 
contributions which rely on, or relate to, the FreeType Project. 

This license applies to all files found in such packages, and which do not fall under their own explicit license. The license affects thus the FreeType 
font engine, the test programs, documentation and makefiles, at the very least. 

This license was inspired by the BSD, Artistic, and IJG (Independent JPEG Group) licenses, which all encourage inclusion and use of free 
software in commercial and freeware products alike. As a consequence, its main points are that: 

o We don't promise that this software works. However, we will be interested in any kind of bug reports, ('as is' distribution) 
o You can use this software for whatever you want, in parts or full form, without having to pay us. ('royalty-free' usage) 

o You may not pretend that you wrote this software. If you use it, or only parts of it, in a program, you must acknowledge somewhere in your 
documentation that you have used the FreeType code, ('credits') 

We specifically permit and encourage the inclusion of this software, with or without modifications, in commercial products. We disclaim all 
warranties covering The FreeType Project and assume no liability related to The FreeType Project. 

Finally, many people asked us for a preferred form for a credit/ disclaimer to use in compliance with this license. We thus encourage you to use the 
following text: 

"Portions of this software are copyright (c) 2007The FreeType Project (www.freetype.org). All rights reserved." 

Legal Terms 



0. Definitions 

Throughout this license, the terms 'package', 'FreeType Project’, and 'FreeType archive' refer to the set of files originally distributed by the authors 
(David Turner, Robert Wilhelm, and Werner Lemberg) as the 'FreeType Project', be they named as alpha, beta or final release. 

'You' refers to the licensee, or person using the project, where 'using' is a generic term including compiling the project's source code as well as linking 
it to form a 'program' or 'executable'. This program is referred to as 'a program using the FreeType engine'. 

This license applies to all files distributed in the original FreeType Project, including all source code, binaries and documentation, unless 
otherwise stated in the file in its original, unmodified form as distributed in the original archive. If you are unsure whether or not a particular file 
is covered by this license, you must contact us to verify this. 

The FreeType Project is copyright (C) 1996-2000 by David Turner, Robert Wilhelm, and Werner Lemberg. All rights reserved except as specified below. 

1. No Warranty 

THE FREETYPE PROJECT IS PROVIDED 'AS IS' WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT 
NOT LIMITED TO, WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT WILL ANY OF 
THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY DAMAGES CAUSED BY THE USE OR THE INABILITY TO USE, OF THE 
FREETYPE PROJECT. 

2. Redistribution 

This license grants a worldwide, royalty-free, perpetual and irrevocable right and license to use, execute, perform, compile, display, copy, create 
derivative works of, distribute and sublicense the FreeType Project (in both source and object code forms) and derivative works thereof for any 
purpose; and to authorize others to exercise some or all of the rights granted herein, subject to the following conditions: 

o Redistribution of source code must retain this license file ('FTL.TXT') unaltered; any additions, deletions or changes to the original files must be 
clearly indicated in accompanying documentation. The copyright notices of the unaltered, original files must be preserved in all copies of source 
files. 

o Redistribution in binary form must provide a disclaimer that states that the software is based in part of the work of the FreeType Team, in the 
distribution documentation. We also encourage you to put an URL to the FreeType web page in your documentation, though this isn't mandatory. 

These conditions apply to any software derived from or based on the FreeType Project, not just the unmodified files. If you use our work, you must 
acknowledge us. However, no fee need be paid to us. 

3. Advertising 

Neither the FreeType authors and contributors nor you shall use the name of the other for commercial, advertising, or promotional purposes without 
specific prior written permission. 

We suggest, but do not require, that you use one or more of the following phrases to refer to this software in your documentation or advertising 
materials: 'FreeType Project', 'FreeType Engine’, 'FreeType library’, or 'FreeType Distribution'. 

As you have not signed this license, you are not required to accept it. However, as the FreeType Project is copyrighted material, only this license, 
or another one contracted with the authors, grants you the right to use, distribute, and modify it. Therefore, by using, distributing, or modifying the 
FreeType Project, you indicate that you understand and accept all the terms of this license. 

4. Contacts 

There are two mailing lists related to FreeType: 
o freetype@nongnu.org 

Discusses general use and applications of FreeType, as well as future and wanted additions to the library and distribution. If you are looking for 
support, start in this list if you haven’t found anything to help you in the documentation, 
o freetype-devel@nongnu.org 
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Discusses bugs, as well as engine internals, design issues, specific licenses, porting, etc. 

Our home page can be found at http:/ / www.freetype.org 

ISODE 

ISODE 8.0 NOTICE 

Acquisition, use, and distribution of this module and related materials are subject to the restrictions of a license agreement. Consult the Preface in the 
User's Manual for the full terms of this agreement. 

4BSD/ISODE SMP NOTICE 

Acquisition, use, and distribution of this module and related materials are subject to the restrictions given in the file SMP-READ-ME. 

UNIX is a registered trademark in the US and other countries, licensed exclusively through X/Open Company Ltd. 

irrxml 

Copyright © 2002-2007 Nikolaus Gebhardt 

This software is provided 'as-is', without any express or implied warranty. In no event will the authors be held liable for any damages arising from the 
use of this software. 

Permission is granted to anyone to use this software for any purpose, including commercial applications, and to alter it and redistribute it freely, subject 
to the following restrictions: 

1. The origin of this software must not be misrepresented; you must not claim that you wrote the original software. If you use this software in a product, 
an acknowledgment in the product documentation would be appreciated but is not required. 

2. Altered source versions must be plainly marked as such, and must not be misrepresented as being the original software. 

3. This notice may not be removed or altered from any source distribution. 

json-c 

Copyright (c) 2004, 2005 Metaparadigm Pte Ltd 

Permission is hereby granted, free of charge, to any person obtaining acopy of this software and associated documentation files (the "Software"),to deal 
in the Software without restriction, including without limitationthe rights to use, copy, modify, merge, publish, distribute, sublicense,and/ or sell copies 
of the Software, and to permit persons to whom theSoftware is furnished to do so, subject to the following conditions: 

The above copyright notice and this permission notice shall be includedin all copies or substantial portions of the Software. 

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS ORIMPLIED, INCLUDING BUT NOT LIMITED TO THE 
WARRANTIES OF MERCHANTABILITY,FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL 
THEAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHERLIABILITY, WHETHER IN AN ACTION OF 
CONTRACT, TORT OR OTHERWISE, ARISING FROM,OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS 
IN THE SOFTWARE, 
libpng 

This copy of the libpng notices is provided for your convenience. In case ofany discrepancy between this copy and the notices in the file png.h that 
isincluded in the libpng distribution, the latter shall prevail. 

COPYRIGHT NOTICE, DISCLAIMER, and LICENSE: 

If you modify libpng you may insert additional notices immediately following this sentence, 
libpng versions 1.2.6, August 15, 2004, through 1.2.25, February 18, 2008, are 

Copyright (c) 2004, 2006-2008 Glenn Randers-Pehrson, and aredistributed according to the same disclaimer and license as libpng-1.2.5 
with the following individual added to the list of Contributing Authors 
Cosmin Truta 

libpng versions 1.0.7, July 1, 2000, through 1.2.5 - October 3, 2002, areCopyright (c) 2000-2002 Glenn Randers-Pehrson, and aredistributed according to 
the same disclaimer and license as libpng-1.0.6with the following individuals added to the list of Contributing Authors 
Simon-Pierre Cadieux 
Eric S. Raymond 
Gilles Vollant 

and with the following additions to the disclaimer: 

There is no warranty against interference with your enjoyment of the library or against infringement. There is no warranty that our efforts or the 
library will fulfill any of your particular purposes or needs. This library is provided with all faults, and the entire risk of satisfactory quality, 
performance, accuracy, and effort is with the user. 

libpng versions 0.97, January 1998, through 1.0.6, March 20, 2000, areCopyright (c) 1998, 1999 Glenn Randers-Pehrson, and aredistributed according to 
the same disclaimer and license as libpng-0.96,with the following individuals added to the list of Contributing Authors: 

Tom Lane 

Glenn Randers-Pehrson 
Willem van Schaik 

libpng versions 0.89, June 1996, through 0.96, May 1997, are 
Copyright (c) 1996, 1997 Andreas Dilger 

Distributed according to the same disclaimer and license as libpng-0.88,with the following individuals added to the list of Contributing Authors: 

John Bowler 
Kevin Bracey 
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Sam Bushell 
Magnus Holmgren 
Greg Roelofs 
Tom Tanner 

libpng versions 0.5, May 1995, through 0.88, January 1996, areCopyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc. 

For the purposes of this copyright and license, "Contributing Authors"is defined as the following set of individuals: 

Andreas Dilger 
Dave Martindale 
Guy Eric Schalnat 
Paul Schmidt 
Tim Wegner 

The PNG Reference Library is supplied "AS IS". The Contributing Authorsand Group 42, Inc. disclaim all warranties, expressed or implied,including, 
without limitation, the warranties of merchantability and offitness for any purpose. The Contributing Authors and Group 42, Inc.assume no liability for 
direct, indirect, incidental, special, exemplary, or consequential damages, which may result from the use of the PNG Reference Library, even if advised 
of the possibility of such damage. Permission is hereby granted to use, copy, modify, and distribute this source code, or portions hereof, for any purpose, 
without fee, subject to the following restrictions: 

1. The origin of this source code must not be misrepresented. 

2. Altered versions must be plainly marked as such and must not be misrepresented as being the original source. 

3. This Copyright notice may not be removed or altered from any source or altered source distribution. The Contributing Authors and Group 42, Inc. 
specifically permit, without fee, and encourage the use of this source code as a component to supporting the PNG file format in commercial products. If 
you use this source code in a product, acknowledgment is not required but would be appreciated. 

A "png_get_copyright" function is available, for convenient use in "about" 
boxes and the like: 

printf("%s",png_get_copyright(NULL)); 

Also, the PNG logo (in PNG format, of course) is supplied in the files "pngbar.png" and "pngbar.jpg (88x31) and "pngnow.png" (98x31). 

Libpng is OSI Certified Open Source Software. OSI Certified Open Source is a certification mark of the Open Source Initiative. 

Glenn Randers-Pehrson 
glennrp at users.sourceforge.net 
February 18, 2008 

Mach_Star 

mach_star is licensed under Creative Commons Attribution License 2.0. Read the license for details, but the gist is you can use mach_star however 
youid like so long as you give me credit. That mostly means putting 
Portions Copyright (c) 2003-2005 Jonathan eWolfi Rentzsch 
In your About Box. 

Keychain framework 

Created by Wade Tregaskis on Fri Jan 24 2003. 

Copyright (c) 2003, Wade Tregaskis. All rights reserved. 

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 

* Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 

* Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation 
and/ or other materials provided with the distribution. 

* Neither the name of Wade Tregaskis nor the names of its contributors may be used to endorse or promote products derived from this software without 
specific prior written permission. 

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, 
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 
DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 
SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 
WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 
USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 

Method Swizzle 

Copyright (c) 2006 Tildesoft. All rights reserved. 

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal 
in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/ or sell copies 
of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: 

The above copyright notice and this permission notice shall be included in / / all copies or substantial portions of the Software. 

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE 
WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE // 
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AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF 
CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER 
DEALINGS IN THE SOFTWARE. 

Implementation of Method Swizzling, inspired by 
http:/ / www.cocoadev.com/index.pl7MethodSwizzling 

Growl 

Uses the BSD license: http: / /growl.info/ documentation /developer /bsd-license.txt 
Base64 encoding in Cocoa 

Original code: http: / / www.dribin.org/ dave /blog /archives/ 2006/ 03/ 12/base64_cocoa/ 

Uses the Create Commons license: http://creativecommons.Org/licenses/by-nc-nd/3.0/us/ 

MD5 

RSA Data Security, Inc. MD5 Message-Digest Algorithm 

Copyright (c) 1991-2, RSA Data Security, Inc. Created 1991. All rights reserved. 

License to copy and use this software is granted provided that it is identified as the "RSA Data Security, Inc. MD5 Message-Digest Algorithm" in all 
material mentioning or referencing this software or this function. 

License is also granted to make and use derivative works provided that such works are identified as "derived from the RSA Data Security, Inc. MD5 
Message-Digest Algorithm" in all material mentioning or referencing the derived work. 

RSA Data Security, Inc. makes no representations concerning either the merchantability of this software or the suitability of this software for any 
particular purpose. It is provided "as is" without express or implied warranty of any kind. 

Microsoft Windows Media Streaming 

Copyright (c) 2003 Microsoft Corporation. All rights reserved. 

Novell 

Novell and eDirectory are [either] registered trademarks [or] trademarks of Novell, Inc. in the United States and other countries. 

LDAPSDK.DLL Copyright (c) 2006 Novell, Inc. All rights reserved. 

LDAPSSL.DLL Copyright (c) 2006 Novell, Inc. All rights reserved. 

LDAPX.DLL Copyright (c) 2006 Novell, Inc. All rights reserved. 

The following are copyrights and licenses included as part of Novell's LDAP Libraries for C: 

HSpencer 

Copyright 1992, 1993, 1994 Henry Spencer. All rights reserved. 

This software is not subject to any license of the American Telephone and Telegraph Company or of the Regents of the University of California. 
Permission is granted to anyone to use this software for any purpose on any computer system, and to alter it and redistribute it, subject 
to the following restrictions: 

1. The author is not responsible for the consequences of use of this software, no matter how awful, even if they arise from flaws in it. 

2. The origin of this software must not be misrepresented, either by explicit claim or by omission. Since few users ever read sources, credits must appear 
in the documentation. 

3. Altered versions must be plainly marked as such, and must not be misrepresented as being the original software. Since few users ever read sources, 
credits must appear in the documentation. 

4. This notice may not be removed or altered. 



Copyright (c) 1994 

The Regents of the University of California. All rights reserved. 

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 

1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 

2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation 
and/or other materials provided with the distribution. 

3. All advertising materials mentioning features or use of this software must display the following acknowledgement: 

This product includes software developed by the University of California, Berkeley and its contributors. 

4. Neither the name of the University nor the names of its contributors may be used to endorse or promote products derived from this software without 
specific prior written permission. 

THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, 
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 
DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, 
EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 

@(#)COPYRIGHT8.1 (Berkeley) 3/16/94 
OpenLDAP 
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Copyright 1998,1999 The OpenLDAP Foundation, Redwood City, California, USA 
All rights reserved. 

Redistribution and use in source and binary forms are permitted only as authorized by the OpenLDAP Public License. A copy of this license is available 
at http: / / www.OpenLDAP.org/license.html or in file LICENSE in the top-level directory of the distribution. 

Individual files and/ or contributed packages may be copyright by other parties and use subject to additional restrictions. 

This work is derived from the University of Michigan LDAP v3.3 distribution. Information concerning is available at 
http:/ / www. umich.edu/ ~dirsvcs/ldap/ldap.html . 

This work also contains materials derived from public sources. 

Additional Information about OpenLDAP can be obtained at: 
http:/ / www.openldap.org/ 
or by sending e-mail to: 
info@OpenLDAP.org 

Portions Copyright (c) 1992-1996 Regents of the University of Michigan. 

All rights reserved. 

Redistribution and use in source and binary forms are permitted provided that this notice is preserved and that due credit is given to the University of 
Michigan at Ann Arbor. The name of the University may not be used to endorse or promote products derived from this software without specific prior 
written permission. This software is provided "as is" without express or implied warranty. 

The OpenLDAP Public License 
Version 2.0.1, 21 December 1999 

Copyright 1999, The OpenLDAP Foundation, Redwood City, California, USA. 

All Rights Reserved. 

Redistribution and use of this software and associated documentation ("Software"), with or without modification, are permitted provided that the 
following conditions are met: 

1. Redistributions of source code must retain copyright statements and notices. Redistributions must also contain a copy of this document. 

2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation 
and/or other materials provided with the distribution. 

3. The name "OpenLDAP" must not be used to endorse or promote products derived from this Software without prior written permission of the 
OpenLDAP Foundation. For written permission, please contact foundation@openldap.org. 

4. Products derived from this Software may not be called "OpenLDAP" nor may "OpenLDAP" appear in their names without prior written permission 
of the OpenLDAP Foundation. OpenLDAP is a trademark of the OpenLDAP Foundation. 

5. Due credit should be given to the OpenLDAP Project 
( http:/ /www.openldap.org/ . 

THIS SOFTWARE IS PROVIDED BY THE OPENLDAP FOUNDATION AND CONTRIBUTORS "AS IS” AND ANY EXPRESSED OR IMPLIED 
WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 
PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OPENLDAP FOUNDATION OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, 

INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT HOWEVER CAUSED AND ON 
ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING 
IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 

Open SSL 
LICENSE ISSUES 



The OpenSSL toolkit stays under a dual license, i.e. both the conditions of the OpenSSL License and the original SSLeay license apply to the toolkit. 
See below for the actual license texts. Actually both licenses are BSD-tyle Open Source licenses. In case of any license issues related to OpenSSL 
please contact openssl-core@openssl.org. 

OpenSSL License 



Copyright (c) 1998-2008 The OpenSSL Project. All rights reserved. 

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 

1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 

2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation 
and/or other materials provided with the distribution. 

3. All advertising materials mentioning features or use of this software must display the following acknowledgment: 

"This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit, (http:/ / www.openssl.org/)" 

4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to endorse or promote products derived from this software without prior 
written permission. For written permission, please contact openssl-core@openssl.org. 

5. Products derived from this software may not be called "OpenSSL" nor may "OpenSSL" appear in their names without prior written permission of the 
OpenSSL Project. 
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6. Redistributions of any form whatsoever must retain the following acknowledgment: 

"This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http:/ / www.openssl.org/)" 

THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT "AS IS" AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO 
EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, 
EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILHY OF SUCH DAMAGE. 



This product includes cryptographic software written by Eric Young (eay@cryptsoft.com). This product includes software written by Tim 
Hudson (tjh@cryptsoft.com). 

Original SSLeay License 



Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 

All rights reserved. 

This package is an SSL implementation written by Eric Young (eay@cryptsoft.com). The implementation was written so as to conform with Netscapes 
SSL. This library is free for commercial and non-commercial use as long as the following conditions are aheared to. The following conditions apply to all 
code found in this distribution, be it the RC4, RSA, lhash, DES, etc., code; not just the SSL code. The SSL documentation included with this distribution 
is covered by the same copyright terms except that the holder is Tim Hudson (tjh@cryptsoft.com). 

Copyright remains Eric Young's, and as such any Copyright notices in the code are not to be removed. If this package is used in a product, Eric Young 
should be given attribution as the author of the parts of the library used. This can be in the form of a textual message at program startup or in 
documentation (online or textual) provided with the package. 

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 

1. Redistributions of source code must retain the copyright notice, this list of conditions and the following disclaimer. 

2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation 
and/or other materials provided with the distribution. 

3. All advertising materials mentioning features or use of this software must display the following acknowledgement: 

"This product includes cryptographic software written by Eric Young (eay@cryptsoft.com)" 

The word 'cryptographic' can be left out if the rouines from the library being used are not cryptographic related . 

4. If you include any Windows specific code (or a derivative thereof) from the apps directory (application code) you must include an acknowledgement: 
"This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 

THIS SOFTWARE IS PROVIDED BY ERIC YOUNG "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, 
THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARHCULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL 
THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; 
OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR 
TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 
POSSIBILITY OF SUCH DAMAGE. 

The licence and distribution terms for any publically available version or derivative of this code cannot be changed, i.e. this code cannot simply be 
copied and put under another distribution licence [including the GNU Public Licence.] 

[end of copyrights and licenses for Novell's LDAP Libraries for C] 

The OpenLDAP Public License 

Version 2.8, 17 August 2003 

Redistribution and use of this software and associated documentation ("Software"), with or without modification, are permitted provided that the 
following conditions are met: 

1. Redistributions in source form must retain copyright statements and notices, 

2. Redistributions in binary form must reproduce applicable copyright statements and notices, this list of conditions, and the following disclaimer in the 
documentation and/ or other materials provided with the distribution, and 

3. Redistributions must contain a verbatim copy of this document. 



The OpenLDAP Foundation may revise this license from time to time. Each revision is distinguished by a version number. You may use this Software 
under terms of this license revision or under the terms of any subsequent revision of the license. 



THIS SOFTWARE IS PROVIDED BY THE OPENLDAP FOUNDATION AND ITS CONTRIBUTORS "AS IS" AND ANY EXPRESSED OR IMPLIED 
WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 
PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OPEN LDAP FOUNDATION, ITS CONTRIBUTORS, OR THE AUTHOR(S) OR 
OWNER(S) OF THE SOFTWARE BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
DAMAGES (INCLUDING, 

BUT NOT LIMHED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 
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(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 
POSSIBILITY OF SUCH DAMAGE. 

The names of the authors and copyright holders must not be used in advertising or otherwise to promote the sale, use or other dealing in this Software 
without specific, written prior permission. Title to copyright in this Software shall at all times remain with copyright holders. 

OpenLDAP is a registered trademark of the OpenLDAP Foundation. 

Copyright 1999-2003 The OpenLDAP Foundation, Redwood City, 

California, USA. All Rights Reserved. Permission to copy and distribute verbatim copies of this document is granted. 

OpenSSH 

Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland. All rights reserved 
This file is part of the OpenSSH software. 

The licences which components of this software fall under are as follows. First, we will summarize and say that all components are under a BSD licence, 
or a licence more free than that. 

OpenSSH contains no GPL code. 

1) As far as I am concerned, the code I have written for this software can be used freely for any purpose. Any derived versions of this software must be 
clearly marked as such, and if the derived work is incompatible with the protocol description in the RFC file, it must be called by a name other than 
"ssh" or "Secure Shell". 

[Tatu continues] 

However, I am not implying to give any licenses to any patents or copyrights held by third parties, and the software includes parts that are not under 
my direct control. As far as I know, all included source code is used in accordance with the relevant license agreements and can be used freely for any 
purpose (the GNU license being the most restrictive); see below for details. 

[However, none of that term is relevant at this point in time. All of these restrictively licenced software components which he talks about have been 
removed from OpenSSH, i.e., 

- RSA is no longer included, found in the OpenSSL library 

- IDEA is no longer included, its use is deprecated 

- DES is now external, in the OpenSSL library 

- GMP is no longer used, and instead we call BN code from OpenSSL 

- Zlib is now external, in a library 

- The make-ssh-known-hosts script is no longer included 

- TSS has been removed 

- MD5 is now external, in the OpenSSL library 

- RC4 support has been replaced with ARC4 support from OpenSSL 

- Blowfish is now external, in the OpenSSL library 
[The licence continues] 

Note that any information and cryptographic algorithms used in this software are publicly available on the Internet and at any major bookstore, 
scientific library, and patent office worldwide. More information can be found e.g. at "http: / / www.cs.hut.fi/ crypto". 

The legal status of this program is some combination of all these permissions and restrictions. Use only at your own responsibility. You will be 
responsible for any legal consequences yourself; I am not making any claims whether possessing or using this is legal or not in your country, and I am 
not taking any responsibility on your behalf. 

NO WARRANTY 

BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY 
APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE 
PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE 
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND 
PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL 
NECESSARY SERVICING, REPAIR OR CORRECTION. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING 
WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED 
ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES 
ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING 
RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY 
OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. 

2) The 32-bit CRC compensation attack detector in deattack.c was contributed by CORE SDI S.A. under a BSD-style license. 

Cryptographic attack detector for ssh - source code 

Copyright (c) 1998 CORE SDI S.A., Buenos Aires, Argentina. All rights reserved. Redistribution and use in source and binary forms, with or without 
modification, are permitted provided that this copyright notice is retained. THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR 
IMPLIED WARRANTIES ARE DISCLAIMED. IN NO EVENT SHALL CORE SDI S.A. BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 
SPECIAL, EXEMPLARY OR CONSEQUENTIAL DAMAGES RESULTING FROM THE USE OR MISUSE OF THIS SOFTWARE. 

Ariel Futoransky <futo@core-sdi.com> <http://www.core-sdi.com> 

3) ssh-keygen was contributed by David Mazieres under a BSD-style license. 

Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>. Modification and redistribution in source and binary forms is permitted provided that due 
credit is given to the author and the OpenBSD project by leaving this copyright notice intact. 
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4) The Rijndael implementation by Vincent Rijmen, Antoon Bosselaers and Paulo Barreto is in the public domain and distributed with the following 
license: 

@version 3.0 (December 2000) 

Optimised ANSI C code for the Rijndael cipher (now AES) 

@author Vincent Rijmen <vincent.rijmen@esat.kuleuven.ac.be> 

@author Antoon Bosselaers <antoon.bosselaers@esat.kuleuven.ac.be> 

@author Paulo Barreto <paulo.barreto@terra.com.br> 

This code is hereby placed in the public domain. 

THIS SOFTWARE IS PROVIDED BY THE AUTHORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 
TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT 
SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 
CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 
STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, 
EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 

5) One component of the ssh source code is under a 3-clause BSD license, held by the University of California, since we pulled these parts from original 
Berkeley code. 

Copyright (c) 1983, 1990, 1992, 1993, 1995 

The Regents of the University of California. All rights reserved. 

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 

1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 

2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation 
and/or other materials provided with the distribution. 

3. Neither the name of the University nor the names of its contributors may be used to endorse or promote products derived from this software without 
specific prior written permission. 

THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, 
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 
DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, 
EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 

6) Remaining components of the software are provided under a standard 2-term BSD licence with the following names as copyright holders: 

Markus Friedl 

Theo de Raadt 
Niels Provos 
Dug Song 
Aaron Campbell 
Damien Miller 
Kevin Steves 
Daniel Kouril 
Wesley Griffin 
Per Allansson 
Nils Nordman 
Simon Wilkinson 

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 

1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 

2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation 
and/or other materials provided with the distribution. 

THIS SOFTWARE IS PROVIDED BY THE AUTHOR "AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 
TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT 
SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 
POSSIBILITY OF SUCH DAMAGE. 

OpenSSL License 

Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved. 

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 

1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 
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2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation 
and/or other materials provided with the distribution. 

3. All advertising materials mentioning features or use of this software must display the following acknowledgment: 

"This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit, (http:/ / www.openssl.org/)" 

4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to endorse or promote products derived from this software without prior 
written permission. For written permission, please contact 

openssl-core@openssl.org. 

5. Products derived from this software may not be called "OpenSSL" nor may "OpenSSL" appear in their names without prior written permission of the 
OpenSSL Project. 

6. Redistributions of any form whatsoever must retain the following acknowledgment: 

"This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http:/ / www.openssl.org/)" 

THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT "AS IS" AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 
LIMITED TO, THE MPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO 
EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,SPECIAL, 
EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 



This product includes cryptographic software written by Eric Young (eay@cryptsoft.com). This product includes software written by Tim Hudson 
(tjh@cryptsoft.com) . 

Original SSLeay License 



Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 

All rights reserved. 

This package is an SSL implementation written by Eric Young (eay@cryptsoft.com). The implementation was written so as to conform with Netscapes 
SSL. 

This library is free for commercial and non-commercial use as long as the following conditions are aheared to. The following conditions apply to all 
code found in this distribution, be it the RC4, RSA, lhash, DES, etc., code; not just the SSL code. The SSL documentation included with this distribution 
is covered by the same copyright terms except that the holder is Tim Hudson (tjh@cryptsoft.com). 

Copyright remains Eric Young's, and as such any Copyright notices in the code are not to be removed. If this package is used in a product, Eric Young 
should be given attribution as the author of the parts of the library used. This can be in the form of a textual message at program startup or in 
documentation (online or textual) provided with the package. 

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 

1. Redistributions of source code must retain the copyright notice, this list of conditions and the following disclaimer. 

2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation 
and/ or other materials provided with the distribution. 

3. All advertising materials mentioning features or use of this software must display the following acknowledgement: 

"This product includes cryptographic software written by Eric Young (eay@cryptsoft.com)" 

The word 'cryptographic' can be left out if the rouines from the library being used are not cryptographic related :-). 

4. If you include any Windows specific code (or a derivative thereof) from the apps directory (application code) you must include an acknowledgement: 
"This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 

THIS SOFTWARE IS PROVIDED BY ERIC YOUNG "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, 
THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL 
THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; 
OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR 
TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 
POSSIBILITY OF SUCH DAMAGE. 

The licence and distribution terms for any publically available version or derivative of this code cannot be changed, i.e. this code cannot simply be 
copied and put under another distribution licence [including the GNU Public Licence.] 

Netscape NSPR 

Version: MPL 1.1 /GPL 2.0/LGPL 2.1 

The contents of this file are subject to the Mozilla Public License Version 1.1 (the "License"); you may not use this file except in compliance with the 
License. You may obtain a copy of the License at * http:/ / www.mozilla.org /MPL/ 

Software distributed under the License is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See the 
License for the specific language governing rights and limitations under the License. 

The Original Code is the Netscape Portable Runtime (NSPR). 

The Initial Developer of the Original Code is * Netscape Communications Corporation. 

Portions created by the Initial Developer are Copyright (C) 1998-2000 
the Initial Developer. All Rights Reserved. * 
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Contributor (s): * 

Alternatively, the contents of this file may be used under the terms of * either the GNU General Public License Version 2 or later (the "GPL"), or * the 
GNU Lesser General Public License Version 2.1 or later (the "LGPL"), in which case the provisions of the GPL or the LGPL are applicable insteadof those 
above. If you wish to allow use of your version of this file only under the terms of either the GPL or the LGPL, and not to allow others to use your 
version of this file under the terms of the MPL, indicate your decision by deleting the provisions above and replace them with the notice and other 
provisions required by the GPL or the LGPL. If you do not delete the provisions above, a recipient may use your version of this file under the terms of 
any one of the MPL, the GPL or the LGPL. 

Net-SNMP 

Various copyrights apply to this package, listed in various separate parts below. Please make sure that you read all the parts. Up until 2001, the project 
was based at UC Davis, and the first part covers all code written during this time. From 2001 onwards, the project has been based at SourceForge, and 
Networks Associates Technology, Inc hold the copyright on behalf of the wider Net-SNMP community, covering all derivative work done since then. 
An additional copyright section has been added as Part 3 below also under a BSD license for the work contributed by Cambridge Broadband Ltd. to the 
project since 2001. An additional copyright section has been added as Part 4 below also under a BSD license for the work contributed by Sun 
Microsystems, Inc. to the project since 2003. 

Code has been contributed to this project by many people over the years it has been in development, and a full list of contributors can be found in the 
README file under the THANKS section. 



— Part 1: CMU/UCD copyright notice: (BSD like) 



Copyright 1989, 1991, 1992 by Carnegie Mellon University 



Derivative Work - 1996, 1998-2000 

Copyright 1996, 1998-2000 The Regents of the University of California 
All Rights Reserved 

Permission to use, copy, modify and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the 
above copyright notice appears in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and 
that the name of CMU and The Regents of the University of California not be used in advertising or publicity pertaining to distribution of the software 
without specific written permission. 

CMU AND THE REGENTS OF THE UNIVERSITY OF CALIFORNIA DISCLAIM ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, 
INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL CMU OR THE REGENTS OF THE 
UNIVERSITY OF CALIFORNIA BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 
WHATSOEVER RESULTING 

FROM THE LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, 
ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 



— Part 2: Networks Associates Technology, Inc copyright notice (BSD) 



Copyright (c) 2001-2003, Networks Associates Technology, Inc. All rights reserved. 

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 
Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 

Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation 
and/or other materials provided with the distribution. 

Neither the name of the Networks Associates Technology, Inc nor the names of its contributors may be used to endorse or promote products derived 
from this software without specific prior written permission. 

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, 
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 
DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 
SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 
WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 
USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 



— Part 3: Cambridge Broadband Ltd. copyright notice (BSD) 



Portions of this code are copyright (c) 2001-2003, Cambridge Broadband Ltd. All rights reserved. 

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 
Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 

Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation 
and/or other materials provided with the distribution. 

The name of Cambridge Broadband Ltd. may not be used to endorse or promote products derived from this software without specific prior written 
permission. 
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THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDER "AS IS 1 ' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO 
EVENT SHALL THE COPYRIGHT HOLDER BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 
CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 
STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, 
EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 



— Part 4: Sun Microsystems, Inc. copyright notice (BSD) 



Copyright © 2003 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, California 95054, U.S.A. All rights reserved. 

Use is subject to license terms below. 

This distribution may include materials developed by third parties. 

Sun, Sun Microsystems, the Sun logo and Solaris are trademarks or registered trademarks of Sun Microsystems, Inc. in the U.S. and other countries. 
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 
Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 

Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation 
and/or other materials provided with the distribution. 

Neither the name of the Sun Microsystems, Inc. nor the names of its contributors may be used to endorse or promote products derived from this 
software without specific prior written permission. 

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED 
WARRANHES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANHES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 
PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, 
INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN 
ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 



— Part 5: Sparta, Inc copyright notice (BSD) 



Copyright (c) 2003-2006, Sparta, Inc. All rights reserved. 

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 
Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 

Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation 
and/or other materials provided with the distribution. 

Neither the name of Sparta, Inc nor the names of its contributors may be used to endorse or promote products derived from this software without 
specific prior written permission. 

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED 
WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 
PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, 
INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN 
ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 



— Part 6: Cisco /BUPTNIC copyright notice (BSD) 

Copyright (c) 2004, Cisco, Inc and Information Network Center of Beijing University of Posts and Telecommunications. All rights reserved. 
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 
Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 

Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation 
and/or other materials provided with the distribution. 

Neither the name of Cisco, Inc, Beijing University of Posts and Telecommunications, nor the names of their contributors may be used to endorse or 
promote products derived from this software without specific prior written permission. 

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED 
WARRANHES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANHES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 
PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, 
INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN 
ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 



— Part 7: Fabasoft R&D Software GmbH & Co KG copyright notice (BSD) 
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Copyright (c) Fabasoft R&D Software GmbH & Co KG, 2003 oss@fabasoft.com Author: Bernhard Penz 

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 
Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 

Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation 
and/or other materials provided with the distribution. 

The name of Fabasoft R&D Software GmbH & Co KG or any of its subsidiaries, brand or product names may not be used to endorse or promote 
products derived from this software without specific prior written permission. 

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDER "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO 
EVENT SHALL THE COPYRIGHT HOLDER BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 
CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 
STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, 
EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 

PCRE 

Copyright (c) 1997-2001 University of Cambridge 

University of Cambridge Computing Service, Cambridge, England. Phone: +44 1223 334714. 

Written by: Philip Hazel <phlO@cam.ac.uk> 

Permission is granted to anyone to use this software for any purpose on any computer system, and to redistribute it freely, subject to the following 
restrictions: 

1. This software is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of 
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. 

2. Regular expression support is provided by the PCRE library package, which is open source software, written by Philip Hazel, and copyright by the 
University of Cambridge, England. 

ftp:/ /ftp.csx.cam.ac.uk/ pub/ software /programming/ pcre/ 

PHAOS SSLava and SSLavaThin 

Copyright (c) 1996-2003 Phaos Technology Corporation. All Rights Reserved. 

The software contains commercially valuable proprietary products of Phaos which have been secretly developed by Phaos, the design and development 
of which have involved expenditure of substantial amounts of money and the use of skilled development experts over substantial periods of time. The 
software and any portions or copies thereof shall at all times remain the property of Phaos. 

PHAOS MAKES NO WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION THE IMPLIED WARRANTY OF 
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, REGARDING THE SOFTWARE, OR ITS USE AND OPERATION ALONE OR IN 
COMBINATION WITH ANY OTHER SOFTWARE. 

PHAOS SHALL NOT BE LIABLE TO THE OTHER OR ANY OTHER PERSON CLAIMING DAMAGES AS A RESULT OF THE USE OF ANY 
PRODUCT OR SOFTWARE FOR ANY DAMAGES WHATSOEVER. IN NO EVENT WILL PHAOS BE LIABLE FOR SPECIAL, INCIDENTAL OR 
CONSEQUENTIAL DAMAGES, EVEN IF ADVISED OF THE POSSIBLITY OF SUCH DAMAGES. 

Python 2.5 license 

This is the official license for the Python 2.5 release: 

A. HISTORY OF THE SOFTWARE 



Python was created in the early 1990s by Guido van Rossum at Stichting Mathematisch Centrum (CWI, see http:/ / www.cwi.nl) in the Netherlands as a 
successor of a language called ABC. Guido remains Python's principal author, although it includes many contributions from others. 

In 1995, Guido continued his work on Python at the Corporation for National Research Initiatives (CNRI, see http:/ / www.cnri.reston.va.us) in Reston, 
Virginia where he released several versions of the software. 

In May 2000, Guido and the Python core development team moved to BeOpen.com to form the BeOpen PythonLabs team. In October of the same year, 
the PythonLabs team moved to Digital Creations (now Zope Corporation, see http:/ / www.zope.com). In 2001, the Python Software Foundation (PSF, 
see http:/ / www.python.org/psf/) was formed, a non-profit organization created specifically to own Python-related Intellectual Property. Zope 
Corporation is a sponsoring member of the PSF. 

All Python releases are Open Source (see http:/ / www.opensource.org for the Open Source Definition). Historically, most, but not all. Python releases 
have also been GPL-compatible; the table below summarizes the various releases. 



Table 1.1: 



Release 


Derived From 


Year 


Owner 


GPL-compatible? (1) 


0.9.0 thru 1.2 


- 


1991-1995 


CWI 


yes 


1.3 thru 1.5.2 


1.2 


1995-1999 


CNRI 


yes 


1.6 1.5.2 




2000 


CNRI 


no 


2.0 


1.6 


2000 


BeOpen.com 


no 


1.6.1 


1.6 


2001 


CNRI 


yes (2) 


2.1 


2.0+1 .6.1 


2001 


PSF 


no 
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Table 1.1: 



Release 


Derived From 


Year 


Owner 


GPL-compatible? (1) 


2.0.1 


2.0+1 .6.1 


2001 


PSF 


yes 


2.1.1 


2.1+2.0.1 


2001 


PSF 


yes 


2.2 


2.1.1 


2001 


PSF 


yes 


2.1.2 


2.1.1 


2002 


PSF 


yes 


2.1.3 


2.1.2 


2002 


PSF 


yes 


2.2.1 


2.2 


2002 


PSF 


yes 


2.2.2 


2.2.1 


2002 


PSF 


yes 


2.2.3 


2.2.2 


2003 


PSF 


yes 


2.3 


2.2.2 


2002-2003 


PSF 


yes 


2.3.1 


2.3 


2002-2003 


PSF 


yes 


2.3.2 


2.3.1 


2002-2003 


PSF 


yes 


2.3.3 


2.3.2 


2002-2003 


PSF 


yes 


2.3.4 


2.3.3 


2004 


PSF 


yes 


2.3.5 


2.3.4 


2005 


PSF 


yes 


2.4 


2.3 


2004 


PSF 


yes 


2.4.1 


2.4 


2005 


PSF 


yes 


2.4.2 


2.4.1 


2005 


PSF 


yes 


2.4.3 


2.4.2 


2006 


PSF 


yes 


2.5 


2.4 


2006 


PSF 


yes 



Footnotes: (1) GPL-compatible doesn't mean that we're distributing Python under the GPL. All Python licenses, unlike the GPL, let you distributea 
modified version without making your changes open source. The GPL-compatible licenses make it possible to combine Python with other software that 
is released under the GPL; the others don't. 

(2) According to Richard Stallman, 1.6.1 is not GPL-compatible, because its license has a choice of law clause. According to CNRI, however. Stallman's 
lawyer has told CNRI's lawyer that 1.6.1 is "not incompatible" with the GPL. 

Thanks to the many outside volunteers who have worked under Guido's direction to make these releases possible. 

B. TERMS AND CONDITIONS FOR ACCESSING OR OTHERWISE USING PYTHON 



PYTHON SOFTWARE FOUNDATION LICENSE VERSION 2 



1. This LICENSE AGREEMENT is between the Python Software Foundation ("PSF"), and the Individual or Organization ("Licensee") accessing and 
otherwise using this software ("Python") in source or binary form and its associated documentation. 

2. Subject to the terms and conditions of this License Agreement, PSF hereby grants Licensee a nonexclusive, royalty-free, world-wide license to 
reproduce, analyze, test, perform and/ or display publicly, prepare derivative works, distribute, and otherwise use Python alone or in any derivative 
version, provided, however, that PSF's License Agreement and PSF's notice of copyright, i.e., "Copyright (c) 2001, 2002, 2003, 2004, 2005, 2006 Python 
Software Foundation; All Rights Reserved" are retained in Python alone or in any derivative version prepared by Licensee. 

3. In the event Licensee prepares a derivative work that is based on or incorporates Python or any part thereof, and wants to make the derivative work 
available to others as provided herein, then Licensee hereby agrees to include in any such work a brief summary of the changes made to Python. 

4. PSF is making Python available to Licensee on an "AS IS" basis. PSF MAKES NO REPRESENTATIONS OR WARRANTIES, EXPRESS OR IMPLIED. 
BY WAY OF EXAMPLE, BUT NOT LIMITATION, PSF MAKES NO AND DISCLAIMS ANY REPRESENTATION OR WARRANTY OF 
MERCHANTABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE OR THAT THE USE OF PYTHON WILL NOT INFRINGE ANY THIRD 
PARTY RIGHTS. 

5. PSF SHALL NOT BE LIABLE TO LICENSEE OR ANY OTHER USERS OF PYTHON FOR ANY INCIDENTAL, SPECIAL, OR CONSEQUENTIAL 
DAMAGES OR LOSS AS A RESULT OF MODIFYING, DISTRIBUTING, OR OTHERWISE USING PYTHON, OR ANY DERIVATIVE THEREOF, EVEN 
IF ADVISED OF THE POSSIBILITY THEREOF. 

6. This License Agreement will automatically terminate upon a material breach of its terms and conditions. 

7. Nothing in this License Agreement shall be deemed to create any relationship of agency, partnership, or joint venture between PSF and Licensee. This 
License Agreement does not grant permission to use PSF trademarks or trade name in a trademark sense to endorse or promote products or services of 
Licensee, or any third party. 

8. By copying, installing or otherwise using Python, Licensee agrees to be bound by the terms and conditions of this License Agreement. 
BEOPEN.COM LICENSE AGREEMENT FOR PYTHON 2.0 



BEOPEN PYTHON OPEN SOURCE LICENSE AGREEMENT VERSION 1 

1. This LICENSE AGREEMENT is between BeOpen.com ("BeOpen"), having an office at 160 Saratoga Avenue, Santa Clara, CA 95051, and the 
Individual or Organization ("Licensee") accessing and otherwise using this software in source or binary form and its associated documentation ("the 
Software"). 

2. Subject to the terms and conditions of this BeOpen Python License Agreement, BeOpen hereby grants Licensee a non-exclusive, royalty-free, 
world-wide license to reproduce, analyze, test, perform and/ or display publicly, prepare derivative works, distribute, and otherwise use the Software 
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alone or in any derivative version, provided, however, that the BeOpen Python License is retained in the Software, alone or in any derivative version 
prepared by Licensee. 

3. BeOpen is making the Software available to Licensee on an "AS IS" basis. BEOPEN MAKES NO REPRESENTATIONS OR WARRANTIES, EXPRESS 
OR IMPLIED. BY WAY OF EXAMPLE, BUT NOT LIMITATION, BEOPEN MAKES NO AND DISCLAIMS ANY REPRESENTATION OR WARRANTY 
OF MERCHANTABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE OR THAT THE USE OF THE SOFTWARE WILL NOT INFRINGE ANY 
THIRD PARTY RIGHTS. 

4. BEOPEN SHALL NOT BE LIABLE TO LICENSEE OR ANY OTHER USERS OF THE SOFTWARE FOR ANY INCIDENTAL, SPECIAL, OR 
CONSEQUENTIAL DAMAGES OR LOSS AS A RESULT OF USING, MODIFYING OR DISTRIBUTING THE SOFTWARE, OR ANY DERIVATIVE 
THEREOF, EVEN IF ADVISED OF THE POSSIBILITY THEREOF. 

5. This License Agreement will automatically terminate upon a material breach of its terms and conditions. 

6. This License Agreement shall be governed by and interpreted in all respects by the law of the State of California, excluding conflict of law provisions. 
Nothing in this License Agreement shall be deemed to create any relationship of agency, partnership, or joint venture between BeOpen and Licensee. 
This License Agreement does not grant permission to use BeOpen trademarks or trade names in a trademark sense to endorse or promote products or 
services of Licensee, or any third party. As an exception, the "BeOpen Python" logos available at http:/ /www.pythonlabs.com/logos.html may be used 
according to the permissions granted on that web page. 

7. By copying, installing or otherwise using the software. Licensee agrees to be bound by the terms and conditions of this License Agreement. 

CNRI LICENSE AGREEMENT FOR PYTHON 1.6.1 



1. This LICENSE AGREEMENT is between the Corporation for National Research Initiatives, having an office at 1895 Preston White Drive, Reston, VA 
20191 ("CNRI"), and the Individual or Organization ("Licensee") accessing and otherwise using Python 1.6.1 software in source or binary form and its 
associated documentation. 

2. Subject to the terms and conditions of this License Agreement, CNRI hereby grants Licensee a nonexclusive, royalty-free, world-wide license to 
reproduce, analyze, test, perform and/ or display publicly, prepare derivative works, distribute, and otherwise use Python 1.6.1 alone or in any 
derivative version, provided, however, that CNRI's License Agreement and CNRI's notice of copyright, i.e., "Copyright (c) 

1995-2001 Corporation for National Research Initiatives; All Rights Reserved" are retained in Python 1.6.1 alone or in any derivative version prepared by 
Licensee. Alternately, in lieu of CNRI's License Agreement, Licensee may substitute the following text (omitting the quotes): "Python 1.6.1 is made 
available subject to the terms and conditions in CNRI's License Agreement. This Agreement together with Python 1.6.1 may be located on the Internet 
using the following unique, persistent identifier (known as a handle): 1895.22/1013. This Agreement may also be obtained from a proxy server on the 
Internet using the following URL: http:/ /hdl.handle.net/1895.22/1013". 

3. In the event Licensee prepares a derivative work that is based on or incorporates Python 1.6.1 or any part thereof, and wants to make the derivative 
work available to others as provided herein, then Licensee hereby agrees to include in any such work a brief summary of the changes made to Python 
1 . 6 . 1 . 

4. CNRI is making Python 1.6.1 available to Licensee on an "AS IS" 

basis. CNRI MAKES NO REPRESENTATIONS OR WARRANTIES, EXPRESS OR IMPLIED. BY WAY OF EXAMPLE, BUT NOT LIMITATION, CNRI 
MAKES NO AND DISCLAIMS ANY REPRESENTATION OR WARRANTY OF MERCHANTABILITY OR FITNESS FOR ANY PARTICULAR 
PURPOSE OR THAT THE USE OF PYTHON 1.6.1 WILL NOT INFRINGE ANY THIRD PARTY RIGHTS. 

5. CNRI SHALL NOT BE LIABLE TO LICENSEE OR ANY OTHER USERS OF PYTHON 1.6.1 FOR ANY INCIDENTAL, SPECIAL, OR 
CONSEQUENTIAL DAMAGES OR LOSS AS A RESULT OF MODIFYING, DISTRIBUTING, OR OTHERWISE USING PYTHON 1.6.1, OR ANY 
DERIVATIVE THEREOF, EVEN IF ADVISED OF THE POSSIBILITY THEREOF. 

6. This License Agreement will automatically terminate upon a material breach of its terms and conditions. 

7. This License Agreement shall be governed by the federal intellectual property law of the United States, including without limitation the federal 
copyright law, and, to the extent such U.S. federal law does not apply, by the law of the Commonwealth of Virginia, excluding Virginia’s conflict of law 
provisions. Notwithstanding the foregoing, with regard to derivative works based on Python 1.6.1 that incorporate non-separable material that was 
previously distributed under the GNU General Public License (GPL), the law of the Commonwealth of Virginia shall govern this License Agreement 
only as to issues arising under or with respect to Paragraphs 4, 5, and 7 of this License Agreement. Nothing in this License Agreement shall be deemed 
to create any relationship of agency, partnership, or joint venture between CNRI and Licensee. This License Agreement does not grant permission to use 
CNRI trademarks or trade name in a trademark sense to endorse or promote products or services of Licensee, or any third party. 

8. By clicking on the "ACCEPT" button where indicated, or by copying, installing or otherwise using Python 1.6.1, Licensee agrees to be bound by the 
terms and conditions of this License Agreement. 

ACCEPT 

CWI LICENSE AGREEMENT FOR PYTHON 0.9.0 THROUGH 1.2 



Copyright (c) 1991 - 1995, Stichting Mathematisch Centrum Amsterdam, 

The Netherlands. All rights reserved. 

Permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that 
the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and 
that the name of Stichting Mathematisch Centrum or CWI not be used in advertising or publicity pertaining to distribution of the software without 
specific, written prior permission. 

STICHTING MATHEMATISCH CENTRUM DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED 
WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO EVENT SHALL STICHTING MATHEMATISCH CENTRUM BE LIABLE FOR ANY 
SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR 
PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION 
WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 

Proview 
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Written by Bengaly (R) 2003-2005. 

As a part of the Proview (a.k.a PVDasm). 

Permission is granted to make and distribute verbatim copies of this Program provided the copyright notice and this permission notice are Preserved on 
all copies. 

RealSystem 

The RealNetworks® RealProxy™ Server is included under license from RealNetworks, Inc. Copyright 1996-1999, RealNetworks, Inc. All rights 
reserved. 

SmartFilter 

Copyright (c) 2003 Secure Computing Corporation. All rights reserved. 

STLport 

Copyright (c) 1999, 2000 Boris Fomitchev 

This material is provided "as is", with absolutely no warranty expressed or implied. Any use is at your own risk. 

Permission to use or copy this software for any purpose is hereby granted without fee, provided the above notices are retained on all copies. Permission 
to modify the code and to distribute modified code is granted, provided the above notices are retained, and a notice that the code was modified is 
included with the above copyright notice. 

The code has been modified. 

Copyright (c) 1994 Hewlett-Packard Company 

Copyright (c) 1996-1999 Silicon Graphics Computer Systems, Inc. 

Copyright (c) 1997 Moscow Center for SPARC Technology 

Permission to use, copy, modify, distribute and sell this software and its documentation for any purpose is hereby granted without fee, provided that the 
above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation. 
Hewlett-Packard Company makes no representations about the suitability of this software for any purpose. It is provided "as is" without express or 
implied warranty. 

Permission to use, copy, modify, distribute and sell this software and its documentation for any purpose is hereby granted without fee, provided that the 
above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation. Silicon 
Graphics makes no representations about the suitability of this software for any purpose. It is provided "as is" without express or implied warranty. 

Permission to use, copy, modify, distribute and sell this software and its documentation for any purpose is hereby granted without fee, provided that the 
above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation. 
Moscow Center for SPARC Technology makes no representations about the suitability of this software for any purpose. It is provided "as is" without 
express or implied warranty. 

SurfControl 

Copyright (c) 2003 SurfControl, Inc. All rights reserved. 

Symantec AntiVirus Scan Engine 

Copyright (c) 2003 Symantec Corporation. All rights reserved. 

SWIG 

SWIG is distributed under the following terms: 

I. 

Copyright (c) 1995-1998 

The University of Utah and the Regents of the University of California 
All Rights Reserved 

Permission is hereby granted, without written agreement and without license or royalty fees, to use, copy, modify, and distribute this software and its 
documentation for any purpose, provided that (1) The above copyright notice and the following two paragraphs appear in all copies of the source code 
and (2) redistributions including binaries reproduces these notices in the supporting documentation. Substantial modifications to this software may be 
copyrighted by their authors and need not follow the licensing terms described here, provided that the new terms are clearly indicated in all files where 
they apply. 

IN NO EVENT SHALL THE AUTHOR, THE UNIVERSITY OF CALIFORNIA, THE UNIVERSITY OF UTAH OR DISTRIBUTORS OF THIS SOFTWARE 
BE LIABLE TO ANY PARTY FOR DIRECT, INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OF 
THIS SOFTWARE AND ITS DOCUMENTATION, EVEN IF THE AUTHORS OR ANY OF THE ABOVE PARTIES HAVE BEEN ADVISED OF THE 
POSSIBILITY OF SUCH DAMAGE. 

THE AUTHOR, THE UNIVERSITY OF CALIFORNIA, AND THE UNIVERSITY OF UTAH SPECIFICALLY DISCLAIM ANY 

WARRANTIES,INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 
PURPOSE. THE SOFTWARE PROVIDED HEREUNDER IS ON AN "AS IS" BASIS, AND THE AUTHORS AND DISTRIBUTORS HAVE NO 
OBLIGATION TO PROVIDE MAINTENANCE, SUPPORT, UPDATES, ENHANCEMENTS, OR MODIFICATIONS. 

II. 

This software includes contributions that are Copyright (c) 1998-2005 
University of Chicago. 

All rights reserved. 

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 
Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. Redistributions in binary 
form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/ or other materials 
provided with the distribution. Neither the name of the University of Chicago nor the names of its contributors may be used to endorse or promote 
products derived from this software without specific prior written permission. 



xviii 



THIS SOFTWARE IS PROVIDED BY THE UNIVERSITY OF CHICAGO AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED 
WARRANHES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 
PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE UNIVERSITY OF CHICAGO OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, 
INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED 

TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPHON) HOWEVER 
CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR 
OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 

III. 

This software includes contributions that are Copyright (c) 2005-2006 
Arizona Board of Regents (University of Arizona). 

All Rights Reserved 

Permission is hereby granted, without written agreement and without license or royalty fees, to use, copy, modify, and distribute this software and its 
documentation for any purpose, provided that (1) The above copyright notice and the following two paragraphs appear in all copies of the source code 
and (2) redistributions including binaries reproduces these notices in the supporting documentation. Substantial modifications to this software may be 
copyrighted by their authors and need not follow the licensing terms described here, provided that the new terms are clearly indicated in all files where 
they apply. 

THIS SOFTWARE IS PROVIDED BY THE UNIVERSITY OF ARIZONA AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED 
WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 
PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE UNIVERSITY OF ARIZONA OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, 
INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN 
ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 

TCPIP 

Some of the files in this project were derived from the 4.X BSD (Berkeley Software Distribution) source. 

Their copyright header follows: 

Copyright (c) 1982, 1986, 1988, 1990, 1993, 1994, 1995 

The Regents of the University of California. All rights reserved. 

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 

1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 

2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation 
and/or other materials provided with the distribution. 

3. All advertising materials mentioning features or use of this software must display the following acknowledgement: 

This product includes software developed by the University of California, Berkeley and its contributors. 

4. Neither the name of the University nor the names of its contributors may be used to endorse or promote products derived from this software without 
specific prior written permission. 

THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, 
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 
DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, 
EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 

Trend Micro 

Copyright (c) 1989-2003 Trend Micro, Inc. All rights reserved. 

zip.cpp 

THIS FILE is almost entirely based upon code by info-zip. It has been modified by Lucian Wischik. The modifications were a complete rewrite of the bit 
of code that generates the layout of the zipfile, and support for zipping to/ from memory or handles or pipes or pagefile or diskfiles, encryption, 
Unicode. The original code may be found at http:/ / www.info-zip.org . The original copyright text follows.. 

This is version 1999-Oct-05 of the Info-ZIP copyright and license. 

The definitive version of this document should be available at ftp:ftp.cdrom.compubinfoziplicense.html indefinitely. 

Copyright (c) 1990-1999 Info-ZIP. All rights reserved. 

For the purposes of this copyright and license, "Info-ZIP" is defined as the following set of individuals: 

Mark Adler, John Bush, Karl Davis, Harald Denker, Jean-Michel Dubois, Jean-loup Gailly, Hunter Goatley, Ian Gorman, Chris Herborth, Dirk Haase, 
Greg Hartwig, Robert Heath, Jonathan Hudson, Paul Kienitz, David Kirschbaum, Johnny Lee, Onno van der Linden, Igor Mandrichenko, Steve P. Miller, 
Sergio Monesi, Keith Owens, George Petrov, Greg Roelofs, Kai Uwe Rommel, Steve Salisbury, Dave Smith, Christian Spieler, Antoine Verheijen, Paul von 
Behren, Rich Wales, Mike White 

This software is provided "as is," without warranty of any kind, express or implied. In no event shall Info-ZIP or its contributors be held liable for any 
direct, indirect, incidental, special or consequential damages arising out of the use of or inability to use this software. 

Permission is granted to anyone to use this software for any purpose, including commercial applications, and to alter it and redistribute it freely, subject 
to the following restrictions: 

1. Redistributions of source code must retain the above copyright notice, definition, disclaimer, and this list of conditions. 
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2. Redistributions in binary form must reproduce the above copyright notice, definition, disclaimer, and this list of conditions in documentation andor 
other materials provided with the distribution. 

3. Altered versions—including, but not limited to, ports to new operating systems, existing ports with new graphical interfaces, and dynamic, shared, or 
static library versions— must be plainly marked as such and must not be misrepresented as being the original source. Such altered versions also must 
not be misrepresented as being Info-ZIP releases— including, but not limited to, labeling of the altered versions with the names "Info-ZIP" (or any 
variation thereof, including, but not limited to, different capitalizations), "Pocket UnZip," "WiZ" or "MacZip" without the explicit permission of Info-ZIP. 
Such altered versions are further prohibited from misrepresentative use of the Zip-Bugs or Info-ZIP e-mail addresses or of the Info-ZIP URL(s). 

4. Info-ZIP retains the right to use the names "Info-ZIP," "Zip," "UnZip," "WiZ," "Pocket UnZip," "Pocket Zip," and "MacZip" for its own source and 
binary releases. 

zlib.h -- interface of the 'zlib' general purpose compression library 

version 1.2.3, July 18th, 2005 
Copyright (C) 1995-2005 
Jean-loup Gailly and Mark Adler 

This software is provided 'as-is', without any express or implied warranty. In no event will the authors be held liable for any damages arising from the 
use of this software. 

Permission is granted to anyone to use this software for any purpose, including commercial applications, and to alter it and redistribute it freely, subject 
to the following restrictions: 

1. The origin of this software must not be misrepresented; you must not claim that you wrote the original software. If you use this software in a product, 
an acknowledgment in the product documentation would be appreciated but is not required. 

2. Altered source versions must be plainly marked as such, and must not be misrepresented as being the original software. 

3. This notice may not be removed or altered from any source distribution. 

Jean-loup Gailly Mark Adler 

jloup@gzip.org madler@alumni.caltech.edu 

The data format used by the zlib library is described by RFCs (Request for Comments) 1950 to 1952 in the files http: / / www.ietf.org/rfc/rfcl950.txt (zlib 
format), rfcl951.txt (deflate format) and rfcl952.txt (gzip format). 

BSD Tar 

All of the C source code and documentation in this package is subject to the following: 

Copyright (c) 2003-2006 Tim Kientzle 
All rights reserved. 

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 

1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer in this position and 
unchanged. 

2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation 
and/or other materials provided with the distribution. 

THIS SOFTWARE IS PROVIDED BY THE AUTHOR(S) "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 
TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT 
SHALL THE AUTHOR(S) BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR 
BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR 
TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 
POSSIBILITY OF SUCH DAMAGE. 

libarchive 2.3.1 

All of the C source code and documentation in this package is subject to the following: 

Copyright (c) 2003-2006 Tim Kientzle 
All rights reserved. 

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 

1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer in this position and 
unchanged. 

2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation 
and/or other materials provided with the distribution. 

THIS SOFTWARE IS PROVIDED BY THE AUTHOR(S) "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 
TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT 
SHALL THE AUTHOR(S) BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR 
BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR 
TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 
POSSIBILITY OF SUCH DAMAGE. 
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Chapter 1: Introduction 



Volume 1: Getting Started describes how to access the ProxySG using the CLI or 
Management Console, and provides basic configuration information that is 
required in every environment. 

About This Book 

This book includes the following topics: 

□ Chapter 2: "Licensing" on page 31 

□ Chapter 3: "Accessing the ProxySG" on page 43 

□ Chapter 4: "Configuring Basic Settings" on page 51 

□ Chapter 5: "Configuring Adapters and Virtual LANs" on page 57 

□ Chapter 6: "Software and Hardware Bridges" on page 75 

□ Chapter 7: "Distributing Traffic Through Gateways" on page 91 

□ Chapter 8: "Configuring DNS" on page 97 

□ Chapter 9: "Backing Up the Configuration" on page 109 

□ "Glossary" on page 141 

Document Conventions 

Table 1-1 lists the typographical and Command Line Interface (CLI) syntax 
conventions used in this manual. 

Table 1-1 Document Conventions 



Conventions 


Definition 


Italics 


The first use of a new or Blue Coat-proprietary term. 


Courier font 


Screen output. For example, command line text, file names, and 
Blue Coat Content Policy Language (CPL). 


Courier Italics 


A command line variable that is to be substituted with a literal 
name or value pertaining to the appropriate facet of your 
network system. 


Courier Boldface 


A Blue Coat literal to be entered as shown. 


Arial Boldface 


Screen elements in the Management Console. 


{ } 


One of the parameters enclosed within the braces must be 
supplied 


[ ] 


An optional parameter or parameters. 
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Table 1-1 Document Conventions (Continued) 

I Either the parameter before or after the pipe character can or 

must be selected, but not both. 



Notes and Warnings 

The following is provided for your information and to caution you against actions 
that can result in data loss or personal injury: 



Note: Information to which you should pay attention. 



Important: Critical information that is not related to equipment damage or 

personal injury (for example, data loss). 



WARNING! Used only to inform you of danger of personal injury or physical 
damage to equipment. An example is a warning against electrostatic discharge 
(ESD) when installing equipment. 



About Procedures 

Many of the procedures in this volume begin: 

□ Select Configuration > TabName, if you are working in the Management Console, 
or 

□ From the (config) prompt, if you are working in the command line interface (CLI). 

Blue Coat assumes that you are logged into the first page of the Management 
Console or entered into configuration mode in the CLI. 



Illustrations 

To save space, screen shots illustrating a procedure often have the bottom portion 
removed, along with the blank space. 
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General 

- Unique name for this ProxySG Appliance: 

Name: 172.16,90.44 - Blue Coat SG200 Series 




Preview || Apply |[ Revert || Help 

Figure 1-1 Configuration > General Tab with Bottom Buttons 

□ Preview: Use this button to view the configuration changes before applying the 
configuration to the ProxySG. To modify your changes, click Close and return 
to the tab whose settings you want to modify 

□ Apply: Use this button to apply unsaved configuration changes to the ProxySG. 

□ Revert: Use this button to revert any unapplied changes to the ProxySG 
configuration. Changes that previously have been applied to the ProxySG are 
not affected. 

□ Help: Use this button to view conceptual and procedural documentation about 
the tab's topic. 



General 

Unique name for this ProxySG Appliance: 

Name: 



172.16.90.44 - Blue Coat SG200 Series 



Serial number of the ProxySG Appliance: 

Serial number: 



Figure 1-2 Configuration > General Tab with Bottom Buttons Removed 
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Related Documentation 

The following table describes the volumes in the Blue Coat ProxySG Configuration and 
Management Guide Suite. 



Document 


Description 


Volume 1: Getting Started 


Volume 1, the introduction to the Blue 
Coat ProxySG Configuration and 
Management Guide State, describes basic 
set up and configuration. 


Volume 2: Proxies and Proxy Servicess 


Volume 2 describes the various proxies 
that are available, as well basic and 
advanced configuration information. 


Volume 3: Web Communication Proxies 


Volume 3 discusses IM and streaming 
proxies, including real-time streaming 
protocol (RTSP) and Windows Media 
over HTTP. 


Volume 4: Securing the Blue Coat ProxySG 
Appliance 


Volume 4 discusses security of the: 

• SGOS system 

• enterprise 

• Internet 


Volume 5: Advanced Netivorking 


Volume 5 discusses networking tasks 
that do not need to be done in all 
environments, such as WAN 
optimization, setting failover and 
configuring TCP-IP, attack detection, 
and WCCP Health checks, forwarding, 
and managing bandwidth are also 
discussed in this volume. 


Volume 6: The Visual Policy Manager and 
Advanced Policy 


Volume 6 discusses configuring policy 
through the graphical uer interface 
called the Visual Policy Manager 
(VPM). Also discussed in this volure are 
the four policy files that are used to 
manage policy and pop-up ad blocking, 
managing active content, and creating 
exceptions. 

This volume also contains a reference 
guide and several tutorials for using 
VPM. 


Volume 7: Managing Content 


Volume 7 discusses content filtering for 
the Internet, including how to configure 
and use third-party vendors with the 
ProxySG. 

External Services (ICAP and Websense 
off-box) are also found in this volume. 
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Document 


Description 


Volume 8: Access Logging 


Volume 8 discusses log formats, upload 
clients, upload schedules, and 
protocols. The Access Log Formats 
appendix discusses ELFF, SQUID, 
NCSA/Common, and custom logs. 


Volume 9: Managing the Blue Coat ProxySG 
Appliance 


Volume 9 discusses upgrading the 
system and configuring event logs, 
SMNP, STMP, heartbeats, and core 
images, as well as diagnostics. 

Health monitoring, new in this release, 
is discussed in this volume. 

The statistics chapter discusses viewing 
various kinds of statistics, including 
system usage, efficiency, resources, and 
logs of all kinds. 


Volume 10: Content Policy Language Guide 


Volume 10 discusses configuring policy 
without VPM by using Content Policy 
Language (CPL). 
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This chapter describes the ProxySG licensing behavior. 

Topics in this Chapter 

This chapter includes information about the following topics: 

□ "About Licensing" on page 31 

□ "Licensable Components" on page 31 

□ "About the Trial Period" on page 33 

□ "Disabling the Components Running in Trial Period" on page 34 

□ "About License Expiration" on page 35 

□ "About the System Serial Number" on page 35 

□ "Obtaining a Web Power Account" on page 35 

□ "Registering and Licensing Blue Coat Hardware and Software" on page 36 

□ "Retrieving the License" on page 38 

□ "Manual License Installation" on page 38 

□ "Manually Updating a License" on page 40 

□ "Automatically Updating a License" on page 41 

About Licensing 

SGOS 5.3 features a global licensing system for the SGOS software. License key 
files are issued on a per-appliance basis. One license key file includes all of the 
component licenses for whichever SGOS features you have elected to use. 



Note: When your ProxySG order was completed, you received an e-mail that 
contained serial numbers for licensable components. Those numbers are 
required for the procedures in this chapter. 



Licensable Components 

There are three types of licensable components: 

□ Required — The SGOS 5; these features are required on the ProxySG. 

□ Included — Additional SGOS 5.x features, which are provided by Blue Coat 
and that are included in the SGOS 5 base license. 

□ Optional — Any additional (purchased) features. 

When the license key file is created, it contains components of all three types. 
The following table lists the ProxySG licensable components, categorized by 
type. 
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Table 2-1 Licensable Components 



Type 


Component 


Description 


Required 


SGOS Base 


The ProxySG operating system, plus base features: 
HTTP, FTP, TCP-Tunnel, SOCKS, and DNS proxy. 


Included 


3rd Party Onbox 
Content Filtering 


Allows use with third-party vendor databases: Intersafe, 
Optenet, Proventia, SmartFilter, SurfControl, Websense, 
and Webwasher. 


Included 


ProxyClient 

Acceleration 


Enables you to support acceleration with ProxyClients in 
your enterprise. 


Included 


ProxyClient Web 
Filtering 


Enables you to support content filtering with 
ProxyClients in your enterprise. 

The Web filtering license requires BCWF license and a 
fresh (not older than 60 days) BCWF database to be 
present on the Client Manager. 


Included 


Websense Offbox 
Content Filtering 


For Websense off -box support only. 


Included 


ICAP Services 


External virus and content scanning with ICAP servers. 


Included 


Bandwidth 

Management 


Allows you to classify, control, and, if required, limit the 
amount of bandwidth used by different classes of 
network traffic flowing into or out of the ProxySG. 


Included 


Windows Media 
Streaming 


MMS and RTSP proxy for Windows Media content; 
content caching and splitting. 

Full policy control over MMS and RTSP traffic for 
Windows Media content. 

When the maximum number of concurrent streams is 
reached, all subsequent streams are denied and the client 
receives a message. 


Included 


Real Media 
Streaming 


RTSP proxy for Real Media content; content caching and 
splitting. 

Full policy control over RTSP traffic for Real Media 
content. 

When the maximum number of concurrent streams is 
reached, all subsequent streams are denied and the client 
receives a message. 


Included 


QuickTime 

Streaming 


RTSP proxy for QuickTime content; no caching or 
splitting; content pass-through. 

Full policy control over RTSP traffic for QuickTime 
content. 


Included 


Netegrity 

SiteMinder 


Allows realm initialization and user authentication to 
SiteMinder servers. 


Included 


Oracle COREid 


Allows realm initialization and user authentication to 
COREid servers. 
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Table 2-1 Licensable Components (Continued) 



Type 


Component 


Description 


Included 


Peer-to-Peer 


Allows you to recognize and manage peer-to-peer P2P 
activity relating to P2P file sharing applications. 


Included 


HTTP 

Compression 


Allows reduction to file sizes without losing any data. 


Optional 


SSL 


SSL Proxy and HTTPS Reverse Proxy (SSL termination). 


Optional 


AOL Instant 
Messaging 


AIM proxy with policy support for AOL Instant 
Messenger. 


Optional 


MSN Instant 
Messaging 


MSN proxy with policy support for MSN Instant 
Messenger. 


Optional 


Yahoo Instant 
Messaging 


Yahoo proxy with policy support for Yahoo Instant 
Messenger. 



About the Trial Period 

Blue Coat provides a trial period, enabled by default. During initial configuration 
of new hardware, you can specify an edition of SGOS to run during the trial 
period. The ProxySG can run either the MACH5 or Proxy Edition of SGOS during 
the trial period. 



Note: If you select Proxy Edition for the trial period but you purchase a 
MACH5 Edition license, the ProxySG configuration is reset when you install 
the license. The following defaults differ between the two editions: default 
proxy policy, trust destination IP address, transparent WAN interception on 
disabled bridge cards, and tolerating HTTP requests. 



In the trial period, the Base SGOS user limit is unlimited. When a full license is 
installed, any user limits imposed by that license are enforced, even if the trial 
period is still valid. 

The initial system boot-up triggers the 60-day trial; during this time you can 
evaluate the SGOS functionality. For the first 60 days, all licensable components 
for the trial edition you chose are active and available to use. When a license or 
demo license is installed during the trial period, components previously available 
in the trial period, but not part of that license, remain available and active for the 
remainder of the trial period. However, if the license edition is different than the 
trial edition you selected, only functionality available in the edition specified in 
the license remains available for trial. 

If you require more time to explore the SGOS features, a demo license is available; 
refer to your reseller or contact Blue Coat Sales. 

Viewing License Status 

There are two methods to access the license status page: 
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□ Each time you navigate to the Management Console Statistics/Configuration/ 
Maintenance pages, the license status displays as a link in the upper right hand- 
corner. Hovering over the license link displays information, such as the 
expiration date of the trial period. Click the link to switch to the View license 
tab. ~or~ 

□ Select Maintenance > Licensing > View, displays the license components with 
expiration dates. 



License 



components 



For more 
details, select a 
component and 
click. 



View Install 

Licensed Components 



Component 


Valid 


Expiration Date 




SGOS5 


yes 


2008-07-28 


A 


■Windows Media Streaming 


yes 


2008-07-28 




Real Media Streaming 


yes 


2008-07-28 




QuickTime Streaming 


yes 


2008-07-28 




oSL 


yes 


2008-07-28 


V 



r General License Information 



Hardware serial number: 

License creation date: 

Concurrent users (with ADN enabled): unlimited 

Concurrent users (without ADN enabled): unlimited 



Trial Components are enabled 



|~1 Disable 



Disabling the Components Running in Trial Period 

You have the option to not let users access features that are currently running in 
trial period; however, you cannot selectively disable trial period features. You 
must either enable all of them or disable all of them. 

To disable trial period components: 

1. Select Maintenance > Licensing > View. 

2. Select the Trial Components are enabled option. 

3. Click Apply. 

4. Click Refresh Data. All licenses that are in trial period switch from Yes to No. 
Users cannot use these features, and no dialogs warning of license expiration 
are sent. 

Also notice that this option text changes to Trial Components are disabled: Enabled. 
Repeat this process to re-enable trial licenses. 
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About License Expiration 

At the end of the trial or demo period or, subsequently, when any normally 
licensed component expires, components that have not been licensed do not 
process requests; all requests bypass the ProxySG if the default policy is set to 
ALLOW. A license expiration notification message is logged in the Event Log 
(refer to the Event log information in Volume 7: Managing Content for details). 

If a license expires, users might not receive notification, depending upon the 
application they are using. Notifications do occur for the following: 

□ HTTP (Web browsers) — An HTML page is displayed stating the license has 
expired. 

□ SSL — An exception page appears when an HTTPS connection is attempted. 

□ Instant Messaging clients — Users do not receive a message that the license has 
expired. Any IM activity is denied, and to the user it appears that the logon 
connection has failed. 

□ FTP clients — If the FTP client supports it, a message is displayed stating the 
license has expired. 

□ Streaming media clients — If the Windows Media Player, RealPlayer, or 
QuickTime player version supports it, a message is displayed stating the 
license has expired. 

□ ProxyClient — After the trial license has expired, clients cannot connect to the 
ADN network. 

You can still perform SGOS configuration tasks through the CLI, SSH console, 
serial console, or Telnet connection. Although the component is disabled, feature 
configurations are not altered. Also, policy restrictions remain independent of 
component availability. 

About the System Serial Number 

Each ProxySG serial number is the appliance identifier used to assign a license 
key file. The ProxySG contains an EEPROM with the serial number encoded. The 
appliance recognizes the serial number upon system boot-up. 

The serial number is visible by navigating to Configuration > General > Identification. 

Obtaining a WebPower Account 

Before you can register your ProxySG and retrieve the license key, you must have 
a Blue Coat WebPower user account. 

If you do not have a WebPower account or have forgotten your account 
information, perform the following procedure. 
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To obtain a WebPower account: 

1. Select Maintenance > Licensing > Install. 

2. In the License Administration field, click Register/Manage. The License 
Configuration and Management Web page appears (ignore the dialog at this 
time). 

3. Perform one of the following: 

To obtain a new account, click the link for Need a WebPower User ID. Enter the 
information as prompted. 

To obtain your current information for an existing account, click the Forgot 
your password link. 

Registering and Licensing Blue Coat Hardware and Software 

This section describes how to automatically register the hardware and software 
with Blue Coat. 

□ If you have not manually registered the hardware, you can automatically 
register the hardware and install the software license in one step. Continue 
with the procedure in this section. 

□ If you have new hardware (SG210, SG510, SG810, SG 8100) that previously has 
been registered, the license is already associated with the hardware. Navigate 
to Maintenance > Licensing > Install and click Retrieve to obtain the license. For 
more information, see "To retrieve the software license:" on page 38. 

□ If you have older hardware that previously has been registered or if the 
ProxySG does not have Internet access, you can install the software license 
under Maintenance > Licensing > Install. For more information, see "Manual 
License Installation" on page 38. 

To register the hardware and software: 

1. Open a browser and verify pop-up blocking is disabled. 

2. Enter the SGOS Management Console URL. 

https : / / IPaddress: 8082 

3. Enter the access credentials specified during initial setup. 

4. Click Management Console. The license warning/ registration page displays. 
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5. Enter your WebPower credentials and click Register Now. It might take up for a 
minute for the Registration Status field to display the results. 

6. Click Continue. 

7. Select Maintenance > Licensing > View. 



View Install 

- Licensed Components 



Component 


Valid 


Expiration Date 




SGOS5 


yes 


2008-07-28 


A 


Windows Media Streaming 


yes 


2008-07-28 




Real Media Streaming 


yes 


2008-07-28 




QuickTime Streaming 


yes 


2008-07-28 




SSL 


yes 


2008-07-28 


V 



| View Details | | Refresh Data | 



- General License Information 

Hardware serial number; 

License creation date; 

Concurrent users (with ADN enabled); unlimited 
Concurrent users (without ADN enabled); unlimited 



Trial Components are enabled d Disable 



Each licensable component is listed, along with its validity and its expiration 
date. 

• To view the most current information, click Refresh Data. 

• Elighlight a license component and click View Details. A dialog displays 
with more detailed information about that component. 
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• If the trial period is enabled and you click Maintenance > Licensing > View, the 
Management Console displays a check box to disable the trial 
components. If the trial period is disabled, the Management Console 
displays a check box to enable the trial components. 



If the ProxySG is a new system and the hardware has been registered, you can 
retrieve the associated license by completing the following steps: 

To retrieve the software license: 

1. Navigate to Maintenance > Licensing > Install. 

2. Click Retrieve. The Request License Key dialog displays. 

a. Enter your WebPower account login information. 

b. Click Send Request. The Confirm License Install dialog displays. 

c. Click OK to close the dialog. 

3. Click OK when the License Install Succeeded message displays. 

4. Click Close to close the Request License Key dialog. 



Perform manual license installation if: 

□ The ProxySG serial number is not associated with a software license (you have 
registered the hardware separately). 

□ The ProxySG does not have Internet access. 

To manually obtain and install the license: 

1. Select Maintenance > Licensing > Install. 

2. Click Register/Manage. A new browser window opens and prompts you for 
your WebPower login information. 

3. Enter your WebPower username and password and click Login. The Support - 
License Management page displays. 



4. Click the serial number of the unit. The Support - License Management Manage 
Serial Numbers/Obtain IM License page displays. 



Retrieving the License 



Manual License Installation 



Support - License Management 



Currently Registered Hardware: 




The followino aoplja nces are currently registered to your organization: 



To configure the software license for an appliance listed above, select that appliance's serial 
number. 
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Support - License Management 



| Manage Software Serial Numbers | 



[ Obtain IM License~| 



[ Return to Main Screen | 



5. Click Manage Software Serial Numbers. The License Self Service Change Hardware 
Record displays. 



LICENSE SELF-SERVICE CHANGE HARDWARE RECORD 



You are currently reviewing the software options associated with: 

Hardware Model: Blue Coat SG200-B Valued Customer: 

Hardware Serial Number: 4605060001 Organization: Blue Coat Systems Tech 



4605060001 - Blue Coat SG200-B 

The following software options are currently linked to this product. To modify this configuration 

Software SM Description 

No Installed Software 



«asa 

Add a New Software Option to this appliance 

To link a software option that is not listed above, record the software serial number(s) below and click 'Apply*. 




6. The next action depends on whether you have Internet access, 
a. If the ProxySG has Internet access: 

• Click Add to add a software license to the appliance. 




. select the appropriate tab below and follow the instructions 
Expires 
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• Using the serial numbers you received when the ProxySG shipment 
was delivered, add the serial numbers. 

• Click Apply when finished. The software license is now associated with 
the hardware. 

• From Management Console > Maintenance > Licensing > Install, click Retrieve 
and provide the Web Power login information again. For more 
information on the Retrieve procedure, see "To retrieve the software 
license:" on page 38. 

b. If the ProxySG does not have Internet access: 

• In the Cust Info > Links panel, click Get License. You are prompted to save 
a .bin file with the license information. 

• Save the .bin file. 

• From Management Console > Maintenance > Licensing > Install, select one of 
the following from the License Key Manual Installation drop-down list and 
click Install: 



Note: A message is written to the event log when you install a 
license through the ProxySG. 



• Remote URL — If the file resides on a Web server. The Install License Key 
dialog displays. 

Enter the URL path and click Install. The Installation Status field displays 
relevant information. When installation is complete, click Results; 
examine the results, close the window, and click OK. Click Apply. 

• Local File — If the file resides in a local directory. The Upload and Install 
File window opens. 

Enter a path to the license file or click Browse and navigate to the file. 
Click Install. A results window opens. Examine the license installation 
results; close the window. Click Close. Click Apply. 

The license is now installed. All features that you subscribed to are fully 
operational. 

Manually Updating a License 

After the initial license installation, you might decide to use another feature that 
requires a license. The license must be updated to support the new feature. 
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To update a license: 

1. Select Maintenance > Licensing > Install. 

2. Click Register/Manage. 

3. Follow the instructions on the Blue Coat License Self-Service Web page. 

4. If using the automatic license installation feature, click Update; otherwise, 
manually install the license as described in "Manual License Installation" on 
page 38. 

Automatically Updating a License 

The license automatic update feature allows the ProxySG to contact the Blue Coat 
licensing Web page 31 days before the license is to expire. If a new license has 
been purchased and authorized, the license is automatically downloaded. If a new 
license is not available on the Web site, the ProxySG continues to contact the Web 
site daily for a new license until the current license expires. Outside the above 
license expiration window, the ProxySG performs this connection once every 30 
days to check for new license authorizations. This feature is enabled by default. 

To configure the license auto-update: 

1. Select Maintenance > Licensing > Install. 

2. Select Use Auto-Update. 

3. Select Apply. 



Note: If the automatic license update fails and you receive a Load from Blue 
Coat error. 



4. You must log on to your License Management account: 

https://services.bluecoat. com/ e se rvi ceenu/ li censing /mgr . cgi . 

5. Click Update License Key. 



Related CLI Syntax to Manage Licensing 

SGOS# licensing {disable-trial | enable-trial} 

SGOS# licensing request-key [force] user_ID password 
SGOS# licensing update-key [force] 

SGOS# licensing register-hardware [force] user_ID password 
SGOS# licensing mark-registered 
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This chapter discusses the various methods to access the ProxySG appliance. 

The SGOS software uses the Secure Shell (SSH) and HTTPS protocols to 
securely access the SGOS CLI and Management Console. Both SSHvl and 
SSHv2 are enabled by default, and host keys have already been created on the 
ProxySG. 

All data transmitted between the client and the ProxySG using SSH/HTTPS is 
encrypted. 

During initial configuration, you assigned the ProxySG a username and 
password and a privileged-mode (enabled /configuration) password. These 
passwords are always stored and displayed hashed. 

Topics in this Chapter 

This chapter includes information about the following topics: 

□ "Before You Begin: About Modes" on page 43 

□ "Accessing the ProxySG" on page 44 

□ "Changing the Logon Parameters" on page 48 



Important: This chapter assumes that you have completed the first-time setup 

of the ProxySG using either the front panel or serial console, and that the 
appliance is running on the network. These steps must be completed before 
accessing the appliance. 



You can manage the ProxySG by logging on to and using one of the following: 

□ An SSH session to access the CLI. 

□ The Management Console graphical interface. 

You can also use a serial console to access the CLI. 



Note: To use a Telnet session, you must use a serial console connection until 
you configure Telnet for use. (For security reasons Blue Coat does not 
recommend using Telnet). 



Before You Begin: About Modes 

SGOS 5.x supports different levels of command security: 

□ Standard, or unprivileged, mode is read-only. You can see but not change 
system settings and configurations. This is the level you enter when you 
first access the CLI. 
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□ Enabled, or privileged, mode is read-write. You can make immediate but not 
permanent changes to the ProxySG, such as restarting the system. This is the 
level you enter when you first access the Management Console. 

□ Configuration is a mode within the Enabled mode. From this level, you can 
perform permanent changes to the ProxySG configuration. 

If you use the Management Console, you are in configuration mode when you log 
into Enabled mode and type conf t. 

If you use the CLI, you must enter each level separately: 

Username: admin 
Password: 

SGOS> enable 
Enable Password: 

SGOS# configure terminal 

Enter configuration commands, one per line. End with CTRL-Z. 

SGOS# (config) 

For detailed information about the CLI and the CLI commands, refer to Volume 11: 
Command Line Interface Reference. 



Note: Although most administrator tasks can be performed using either the 
Management Console or the CLI, there is the occasional task that can only be done 
using one of the two: these are specified in the manual. 



Accessing the ProxySG 

You can access the ProxySG through either the CLI or the Management Console. 
By default, SSHv2 (CLI) and HTTPS (Management Console) are used to connect 
to the appliance. 

The SSH and HTTPS ports are configured and enabled. For SSH, you can use 
either version 1 or version 2 (with password or RSA client key authentication). 

Accessing the Management Console 

The Management Console is a graphical Web interface that allows you to manage, 
configure, monitor, and upgrade the ProxySG from any location. 

The Management Console consists of a set of Web pages stored on the ProxySG. 
The appliance acts as a Web server on the management port to serve these pages. 
From the ProxySG home page on the appliance, you can access the configuration, 
maintenance, and statistics pages, and the documentation. The Management 
Console is supported with a complete online help facility to assist you in defining 
the various configuration options. 



Note: If, when you access the Management Console home page, you see a host 
mismatch or an invalid certificate message, you must recreate the security 
certificate used by the HTTPS-Console. For information on changing the security 
certificate, refer to the console services information in Volume 2: Proxies and Proxy 
Services. 
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Logging On 

Each time you access the Management Console, you must log on. 

To log on to the Management Console: 

1. In the Web browser, enter HTTPS, the ProxySG IP address, and port 8082 (the 
default management port). 



Note: For example, if the IP address configured during first-time installation 
is 10 .25. 36 . 47, enter the URL https : //io. 25 .36. 47 : 8082 in the Web browser. 




2. Enter the user name and password that you have already created. 



Note: All successful and failed logon attempts are logged to the event log. 
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3. The Blue Coat Management Console Statistics > Traffic Mix page displays in 
the browser. 



Note: You can change the username and password for the console. See 
"Changing the Logon Parameters" on page 48. 



The Statistics screen provides a visual representation of the overall traffic and 
health of the ProxySG. The health states are based on the health monitoring 
metrics, which are described in the Monitoring chapter of Volume 9: Managing the 
Bine Coat ProxySG Appliance. 

The health icon is located in the upper right corner of the Management Console. 




The following health states are possible: 

□ Ok (Green) 

□ Warning (Yellow) 

□ Critical (Red) 

These states are represented by a text string and a color that corresponds to the 
health of the system (green, yellow or red). The system health changes when one 
or more of the health metrics reaches a specified threshold or returns to normal. 

The Management Console polls the ProxySG every 10 seconds and updates the 
health state indicator accordingly. 

To obtain more information about the health state, click the health icon. Clicking 
the health icon displays the Statistics > Health page, which lists the current 
condition of the system's health monitoring metrics. 
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Refer to Volume 9: Managing the Blue Coat ProxySG Appliance for more information 
about the health monitoring metrics. 

Logging Out 

Once you have logged on, you do not have to log on again unless you exit the 
current session or the session times out. The session timeout period, with a 
default of 900 seconds (15 minutes), is configurable. 

Thirty seconds before the session times out, a warning dialog displays. Click the 
Keep Working button or the X in the upper-right-corner of the dialog box to keep the 
session alive. 



Note: The Keep Working button saves your changes. However, you must log back 
on to work in other pages. 




If you do not click Keep Working or the X in the upper-right-hand corner within the 
thirty-second period, you are logged out. You must log back on to access the 
Management Console. 

To log back on, click the hyperlink. 



Note: If you are on the Management Console home page when the session times 
out, you are logged out without seeing the logout warning dialog. You might not 
be aware that you are logged out until you try to access a Management Console 
page. You must enter the logon information again. 



Accessing the CLI 

If you use the CLI, you can use SSHv2 to access the ProxySG, but you cannot use 
SSHvl or Telnet without additional configuration. 



Note: Enabling the Telnet-Console introduces a security risk, so it is not 
recommended. 



To use SSHvl, you must first create an SSHvl host key. For more information on 
creating SSH host keys, refer to Volume 2: Proxies and Proxy Services. 
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To log on to the CLI, you must have: 

□ the account name that has been established on the ProxySG 

□ the IP address of the ProxySG 

□ the port number (22 is the default port number) 

You must log on from your SSH client. 

Changing the Logon Parameters 

You can change the console username and password, the console realm name 
(which displays when you log on to the ProxySG), and the auto-logout timeout (in 
seconds; the default is 900 seconds.) 

The Management Console requires a valid administrator username and password 
to have full read-write access; you do not need to enter a privileged-mode 
password as you do when using the CLI. A privileged-mode password, however, 
must already be set. 



Note: To prevent unauthorized access to the ProxySG, only give the console 
username and password to those who administer the system. 



Changing the Username and Password 

You can change either the username or the password without changing both. The 
console account username was assigned during initial setup of the system. You 
can change the username at any time. 



Note: Changing the Console Account username or password causes the 
Management Console to refresh and log back on using the new information. Each 
parameter must be changed and individually refreshed. You cannot change both 
parameters at the same time. 



To change the username: 

1. Select Configuration > Authentication > Console Access > Console Account. 
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Console Account Console Access | SSH Host 

r Console account 



User name: 



admin 



| Change Password | change the console password 
Console realm name; 

Auto-logout (seconds): 



900 



2. Enter the username of the administrator or administrator group who is 
authorized to view and revise console properties. Only one console account 
exists on the ProxySG. If you change the console account username, that 
username overwrites the existing console account username. The console 
account username can be changed to anything that is not null and contains no 
more than 64 characters. 



3. Click Apply. After clicking Apply, an Unable to Update configuration error is 
displayed. The username change was successfully applied, but the 
configuration could not be fetched from the ProxySG, as the username offered 
in the fetch request is still the old username. 

4. Refresh the screen. You are then challenged for the new username. 



To change the password: 

The console password and privileged-mode password were defined during initial 
configuration of the system. The console password can be changed at any time. 
The privileged-mode, or enabled-mode, password can only be changed through 
the CLI or the serial console. 

1. Select Configuration > Authentication > Console Access > Console Account. 

2. Click Change Password. 

3. Enter and re-enter the console password that is used to view and edit 
configuration information. The password must be from 1 to 64 characters 
long. As you enter the new password, it is obscured with asterisks. Click OK. 



Note: This does not change the enabled-mode password. You can only 
change the enabled-mode password through the CLI. 



4. Refresh the screen, which forces the SGOS software to re-evaluate current 
settings. When challenged, enter the new password. 

5. (Optional) Restrict access by creating an access control list or by creating a 
policy file containing <Admin> layer rules. For more information, see Volume 4: 
Securing the Blue Coat ProxySG Appliance : Chapter 3, "Controlling Access to the 
Internet and Intranet." 
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Changing the ProxySG Realm Name 

The realm name displays when you log on to the Management Console. The 
default realm name is the connection used to access the ProxySG, usually the IP 
address of the system. 

To change the realm name: 

1. Select Configuration > Authentication > Console Access > Console Account. 

2. Enter a new realm name. 

The new realm name displays the next time you log on to the Management 
Console. 

3. Click Apply. 

Related CLI Syntax to Change the Realm Name 

SGOS# (config) security management display-realm name 

The new realm name displays the next time you log on to the Management 
Console. 

Changing the ProxySG Timeout 

The timeout is the length of time a session persists before you are logged out. The 
default timeout is 900 seconds (15 minutes). 

To change the timeout: 

1. Select Configuration > Authentication > Console Access > Console Account. 

2. Either deselect Enforce auto-logout (which eliminates auto-logout entirely) or 
change the auto-logout timeout from its default of 900 seconds (15 minutes) to 
another value (in seconds). This is the allowable length of time on the 
ProxySG before the current session times out. Acceptable values are between 
300 and 86400 seconds (5 minutes to 24 hours). 

If you change the timeout value, the change takes effect on the next refresh of 
any Management Console page. 

3. Click Apply. 

Related CLI Syntax to Change the Timeout 

SGOS# (config) security management auto- logout- timeout seconds 
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The ProxySG global configurations include: defining the ProxySG name and 
serial number, setting the time, and configuring NTP for your environment. 

Topics in this Chapter 

This chapter includes information about the following topics: 

□ "Configuring the ProxySG Name" on page 51 

□ "Viewing the Appliance Serial Number" on page 51 

□ "Configuring the System Time" on page 51 

□ "Network Time Protocol" on page 54 

□ "Configuring HTTP Timeout" on page 55 



Configuring the ProxySG Name 

You can assign any name to a ProxySG. A descriptive name helps identify the 
system. 

To set the ProxySG name: 

1. Select Configuration > General > Identification. 

2. In the Appliance name field, enter a unique name for the ProxySG. 

3. Click Apply. 

Related CLI Syntax for Setting the ProxySG Name 

SGOS# (config) hostname name 



Viewing the Appliance Serial Number 

The ProxySG serial number assists Blue Coat Systems Customer Support when 
analyzing configuration information, including heartbeat reports. This number 
is found on the ProxySG. The serial number is visible on the Management 
Console home page. 

Configuring the System Time 

To manage objects, the ProxySG must know the current Coordinated Universal 
Time (UTC), which is the international time standard and is based on a 24-hour 
clock. However, time stamps can also record in local time. To do this, local time 
must also be set based on time zones. 
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By default, the ProxySG attempts to connect to an NTP server, in the order the 
servers appear in the NTP server list on the NTP tab, to acquire the UTC time. The 
appliance ships with a list of NTP servers available on the Internet. If the 
appliance cannot access any of the listed NTP servers, you must manually set the 
UTC time. 

Additionally, the ProxySG ships with a limited list of time zones. If a particular 
time zone is missing from the included list, the list can be updated at your 
discretion. Also, the time zone database might need to be updated if the Daylight 
Savings rules change in your area. The list can be updated by downloading the 
full time zone database from http:/ / download.bluecoat.com/ release/ 
timezones.tar. 

To set local time: 

1. Select Configuration > General > Clock > Clock. 



Clock NTP | 




- Update time zone database 

Installation URL: [http:// | | Install | | Set to default" 



- Method for acquiring UTC: 

0 Enable NTP i Acquire UTC time | 

Query interval (minutes) 60 



2. Click Set Time zone. The Time Zone Selection dialog displays. 
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3. Select the time zone that represents your local time. After you select the local 
time zone, event logs record the local time instead of GMT. To add additional 
time zones to the list, update the appliance's time zone database, as described 
in the following procedure. 

4. Click OK to close the dialog. 

5. Click Apply. 

To update the database: 

1. Select Configuration > General > Clock > Clock. 

2. Enter the URL from which the database will be downloaded or click Set to 

default. 

3. Click Install. 

Related CLI Syntax for Adding New Time Zones to the Database: 

SGOS# (config) timezone database-path [url | default] 

SGOS# (config) load time zone -database 

To acquire the UTC: 

1. Ensure that Enable NTP is selected. 

2. Click Acquire UTC Time. 

Related CLI Syntax for Acquiring and Setting UTC Time: 

SGOS# acquire-utc 

SGOS# (config) clock [subcommands] 
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Network Time Protocol 

The Network Time Protocol (NTP) is used to synchronize the time of a computer 
client or server to another server or reference time source, such as a radio or 
satellite receiver or modem. There are more than 230 primary time servers, 
synchronized by radio, satellite and modem. 

The ProxySG ships with a list of NTP servers available on the Internet, and 
attempts to connect to them in the order they appear in the NTP server list on the 
NTP tab. You can add others, delete NTP servers, and reorder the NTP server list 
to give a specific NTP server priority over others. 

The ProxySG uses NTP and the Coordinated Universal Time (UTC) to keep the 
system time accurate. 

You can add and reorder the list of NTP servers the ProxySG uses for acquiring 
the time. (The reorder feature is not available through the CLI.) 

To add an NTP server: 

1. Select Configuration > General > Clock > NTP. 



Clock NTP 

r NTP servers: 




[ Demote entry ] 



2. Click New. The Add List Item dialog displays. 

3. Enter either the domain name or IP address of the NTP server and click OK to 
close the dialog. 

4. Click Apply. 

Related CLI Syntax for Acquiring and Setting UTC Time: 

SGOS# (config) ntp [subcommands] 
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To change the access order: 

NTP servers are accessed in the order displayed. You can organize the list of 
servers so the preferred server appears at the top of the list. This feature is not 
available through the CLI. 

1. Select Configuration > General > Clock > NTP. 

2. Select an NTP server to promote or demote. 

3. Click Promote entry or Demote entry as appropriate. 

4. Click Apply. 

Configuring HTTP Timeout 

You can configure various network receive timeout settings for HTTP 
transactions. You can also configure the maximum time that the HTTP proxy 
waits before reusing a client-side or server-side persistent connection. You must 
use the CLI to configure these settings. 

To configure the HTTP receive timeout setting: 

At the (config) command prompt, enter the following command: 

SGOS# (config) http receive-timeout {client | refresh | server} 

#_seconds 

where: 



client 


# seconds 


Sets the receive timeout for client to #_seconds. 
The default is 120 seconds. 


refresh 


# seconds 


Sets receive timeout for refresh to #_seconds. 
The default is 90 seconds. 


server 


# seconds 


Sets receive timeout for server to # seconds. 
The default is 180 seconds. 



To configure the HTTP persistent timeout setting: 

At the (config) command prompt, enter the following command: 

SGOS# (config) http persistent-timeout {client | server} #_seconds 
where 



client 


# seconds 


The maximum amount of time the HTTP 
proxy waits before closing the persistent 
client connection if another request is not 
made. The default is 360 seconds. 


server 


# seconds 


The maximum amount of time the HTTP 
proxy waits before closing the persistent 
server connection if that connection is not 
re-used for any subsequent request from the 
proxy. The default is 900 seconds. 
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This chapter describes ProxySG network adapters, the adapter interfaces, and 
how to configure the ProxySG to function within a Virtual LAN (VLAN) 
environment. Although you most likely have performed initial configuration 
tasks to get the ProxySG live on the network, this chapter provides additional 
conceptual information to ensure the configuration matches the deployment 
requirement. 

Topics in this Chapter 

The following topics are covered in this chapter: 

□ "How Do I...?" on page 57 — Begin here if you are not sure of the answer you 
seek. 

□ "How ProxySG Adapters Interact on the Network" on page 58 

□ "About Virtual LAN Configurations" on page 61 

□ "Changing the Default Adapter and Interface Settings" on page 65 

□ "Viewing Interface Statistics" on page 71 

□ "Detecting Network Adapter Faults" on page 73 

How Do I...? 

To navigate this chapter, identify the task to perform and click the link: 



How do 1...? 


See... 


Verify the ProxySG is connected properly 
based on the basic deployment type, such 
as bridging and in-path? 


"About WAN and LAN Interfaces" on 
page 58 


Learn basic information about virtual 
LAN (VLAN) deployments? 


"About Virtual LAN Configurations" on 
page 61 


Change the settings for default link 
speeds for interfaces? 


"About Link Settings" on page 60 
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How do 1...? 


See... 


Verify that traffic is flowing through the 
interfaces and see what type of traffic it 
is? 


"Viewing Interface Statistics" on page 71 


Troubleshoot interface connectivity? 


"Detecting Network Adapter Faults" on 
page 73 



How ProxySG Adapters Interact on the Network 

Each ProxySG ships with one or more network adapters installed on the system, 
each with one or more interfaces (the number of available interfaces varies by 
ProxySG model). 



Note: In Blue Coat documentation, the convention for the interface is 

adapter: interface. For example, 0 : 0 . 



About WAN and LAN Interfaces 

Recent ProxySG models have labels next to the physical interfaces (on the 
appliance backplate) that identify the WAN and LAN links. These interface labels 
are also hard coded in SGOS 5.3.x and are displayed in the respective interface 
graphics in the Management Console. Based on your deployment type (the 
ProxySG directly in-path between users and a router or the ProxySG connected to 
a router that resides in-path, virtually in-path, and explicit), verify the following 
connections: 

□ The ProxySG is deployed in-path with bridging. 




Figure 5-1 Connecting WAN and LAN interfaces in-path with bridging. 

□ Clients and WAN links connect to the ProxySG transparently through a router 
with WCCP. 
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Virtually in-path with WCCP 




Figure 5-2 Connecting the LAN interface to a router with WCCP. 



About Interception Options 

The ProxySG allows you to execute one of three actions upon intercepting traffic 
on a per-interface basis: 

□ Allow: Bridge/ forward traffic and intercept appropriate traffic as defined by 
Proxy Services. 

□ Bypass: Bridge/ forward all traffic without interception. 

□ Firewall: Drop (silently block) any traffic not related to established ProxySG 
connections. 

The following table describes what effect each allow-intercept option setting has 
on different traffic types. 



Table 5-1 How each interception option affects connections. 



Option 


ProxySG Settings 


ProxySG 
Management and 
Console 
Connections 


Explicit 

Proxy 

Service 

Traffic 


Transparent 

Proxy 

Service 

Traffic 


Other 

Traffic 




reject- 

inbound 


allow- 

intercept 


Allow 


Disabled 


Enabled 


Intercepted 


Intercepted 


Intercepted 


Forwarded 


Bypass 


Disabled 


Disabled 


Intercepted 


Intercepted 


Forwarded 


Forwarded 


Firewall 


Enabled 


Enabled/ 

Disabled 


Silently dropped 


Silently 

dropped 


Silently 

dropped 


Silently 

dropped 
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The default intercept option depends on the type of license on this ProxySG: 

□ Proxy Edition: The default is Bypass transparent interception. 

□ Mach 5 Edition: The default is Allow transparent interception. The ProxySG 
performs normal proxy interception, as configured in Configuration > Services, 
for traffic on the interface. If you require this ProxySG to perform interception 
of traffic on specific interface(s), set the other interfaces to either bypass 
(bridge/ forward, but do not intercept traffic on it) or firewall it (drop all traffic 
not related to established proxy connections). 

About Link Settings 

By default, the ProxySG auto-negotiates the interface speed and duplex settings 
with the switch or router to which it is connected. 

□ The ProxySG supports multiple Ethernet modes. The speed setting is the 
maximum transfer speed, in Megabits or Gigabits per second (Mbps/ Gbps), 
the interface supports. 

□ The duplex setting designates two-way traffic capabilities. In Full duplex 
mode, both devices may transmit to and from each other simultaneously, 
allowing each direction to use the maximum transfer speed without affecting 
the other direction. In Half duplex mode, only one device may transmit at any 
one time, effectively sharing the maximum transfer speed of the interface. 

The ProxySG appliance's health monitoring capability provides alerts if interface 
use reaches warning and critical capacity levels. In Full duplex mode, the ProxySG 
reports the larger percentage value of the sending and receiving values. For 
example, if the ProxySG is receiving 20 Mbps and sending 40 Mbps on a 100 
Mbps-capable interface, the reported value is 40%. If the same interface was set to 
half duplex, the reported value is 60%, or the aggregated values. 

Blue Coat strongly recommends using the (default) auto-negotiation feature. The 
key issue is the ProxySG settings must match the settings on the switch; therefore, 
if you manually change the settings on the ProxySG, you must also match the 
settings on the router or switch. 



Note: When the 100 Mbps Ethernet interfaces on the ProxySG 200, 210, 400, 800 
and 8000 models are connected to Gigabit Ethernet capable devices, they might 
incorrectly auto-negotiate when fail-open pass-through is used. 

If both the interfaces on these ProxySG appliances are connected to Gigabit 
capable switches or hubs. Blue Coat recommends that you configure the link 
settings manually to 100 Mbps. To configure the link settings, see Step 3 in "To 
configure a network adapter:" on page 65. 
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The following table lists the results of various ProxySG and router link settings for 
100 Mbps speeds. The values are listed in the format: speed/duplex. 



Table 5-2 Results for 100 Mbps link speed settings on the ProxySG and the switch 



Router/Switch 
Auto-negotiation 
Result (speed/ 
duplex) 


Router/Switch 
Interface Settings 


ProxySG 
Interface Setting 


ProxySG Auto- 
negotiation 
Result 


100/Full Duplex 


Auto 


Auto 


100 /Full Duplex 


N/A 


100 /Full Duplex 


Auto 


100/Half Duplex 


N/A 


100/Full Duplex 


100/Full Duplex 


N/A 


100/Half Duplex 


Auto 


100 /Full Duplex 


N/A 



The following table lists the results of various ProxySG and router link settings for 
1 Gbps speeds. The values are listed in the format: speed/duplex. 



Table 5-3 Results for IGbps link speed settings on the ProxySG and switch 



Router/Switch 

Auto-negotiation 

Result 


Router/Switch 
Interface Setting 


ProxySG 
Interface Setting 


ProxySG Auto- 

Negotiation 

Result 


No Link 


Auto 


Gig /Full Duplex 


No link 


Gig /Full Duplex 


Auto 


Auto 


Gig /Full Duplex 


No Link 


Gig/Full Duplex 


Auto 


No link 



See Also 

Health Monitoring (Volume 9, Chapter 2) 



About Virtual LAN Configurations 

This section discusses VLAN deployments and how the ProxySG manages 
VLAN-tagged traffic. 

About VLAN Deployments 

VLANs are logical network segments that allow hosts to communicate, regardless 
of physical network location. The benefit to this is that clients can be separated 
logically — based on organizational unit, for example — rather than based on 
physical connectivity to interfaces. The ProxySG treats VLAN interfaces 
identically to traditional physical LAN interfaces. 

VLAN segments are defined on the switch. The network administrator specifies 
which ports belong to which VLANs. The following diagram illustrates a port- 
based VLAN configuration. Clients on network segments attached to switch ports 
1 and 2 belong to VLAN 1, which has the network address l o . o . i . x; network 
segments attached to switch ports 14 and 15 belong to VLAN 2, which has the 
network address 1 0 . 0 . 2 . x. 



61 



Volume I: Getting Started 




Figure 5-3 Multiple VLANs connected to ports on one switch 

As also illustrated in the diagram, clients of different OS types can reside within a 
VLAN. However, not all clients are able to detect (send or receive) VLAN-tagged 
packets. 

About VLAN Trunking 

Trunk ports are ports that carry traffic for more than one VLAN. They tag each 
packet with the VLAN ID in the packet header. Trunk ports are commonly used 
between switches and routers that must switch or route traffic from or to multiple 
VLANs. 

In the following diagram, multiple VLANs are connected by trunk link between 
two switches. 




Figure 5-4 Two switches connected by a trunk 

About Native VLANs 

Each switch port has a designated native VLAN. Traffic on the port associated 
with the native VLAN is not tagged. Traffic destined for VLANs other than the 
native VLAN is tagged. 
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The trunk link carries both the native VLAN and all other VLAN (tagged) 
packets, as illustrated in the following diagram. 



VLAN 1 




Trunk link 


Clients: 1, 2, and 3 




carrying: 


Switch ports: 1, 2, and 3 




(Native) VLAN 1 


Subnet: 192.168.1.x 




VLAN 2 




VLAN 2 

Clients: 4 and 5 
Switch ports: 7 and 8 
Subnet: 192.168.2.x 



Figure 5-5 A switch broadcasting native and regular VLAN traffic over a trunk 

In this example, the client attached to port 7 belongs to VLAN 2. Even though port 
7 is part of VLAN 2, it does not set tags or receive VLAN-tagged packets. The 
switch associates the traffic with VLAN 2 and tags it accordingly when 
appropriate. Conversely, it strips the VLAN 2 tag on the response. The trunk link 
carries VLAN 1 (the native) and 2 traffic to a router that forwards traffic for those 
VLANs. 

Deployment complications arise when a device (other than a router) is required 
between switches. Any network device without VLAN-tagging support might 
drop or misinterpret the traffic. 

As a best practice, do not deploy a device that is not configured to recognize 
VLAN-tagged traffic in-path of a trunk link. 



Note: In Blue Coat documentation, the convention for VLAN is 

adapter: interface. vlan_id. Example: 1 : 0.10 refers the VLAN ID 10 on adapter 

l, interface o. 



The Blue Coat Solution 

The ProxySG supports VLAN tagging; therefore, a ProxySG can be deployed in- 
path with switches that are exchanging VLAN-tagged traffic. This allows for 
uninterrupted VLAN service, plus enables benefits gained with the proxy 
features. 
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The Management Console enables you to configure VLAN interfaces the same 
way you configure physical interfaces. After a VLAN is added, it appears in the 
list of network interfaces. Settings such as aiiow-intercept and reject-inbound 
are applicable to VLAN interfaces. 

The most common deployment is a ProxySG residing between two switches or a 
switch and a router; in these cases, preserving tagged packets is essential to 
proper network operation. 




Figure 5-6 ProxySG deployed between two switches 

The ProxySG strips outgoing native VLAN tags. Any packets not matching the 
native VLAN are dropped unless trunking is enabled on the ProxySG interfaces. 



Interface: 0:0 Interface: 0:1 

Trunking: enabled Trunking: enabled 




Figure 5-7 Trunking enabled on two ProxySG physical interfaces 
Based on this deployment: 

□ The ProxySG accepts all packets, regardless of their VLAN tag, and, if 

configuration and policy allows, passes them from one interface to the other 
with the original VLAN tag preserved. 
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□ If a packet arrives on one interface tagged for VLAN 2, it remains on VLAN 2 
when it is forwarded out another interface. If a packet arrives untagged and 
the destination interface has a different native VLAN configured, the ProxySG 
adds a tag to ensure the VLAN ID is preserved. Similarly, if a tagged packet 
arrives and the VLAN ID matches the native VLAN of the destination 
interface, the ProxySG removes the tag before transmitting the packet. 

Changing the Default Adapter and Interface Settings 

The following procedure describes how to change the default adapter and 
interface settings because of site-specific network requirements. These include 
inbound connection restrictions, link settings, browser /PAC file settings, and 
VLAN settings. Repeat the process if the system has additional adapters. By 
default: 

□ The ProxySG allows the transparent interception of inbound connections. 

□ By default, the ProxySG auto-negotiates link settings with the connected 
switch or router. Blue Coat recommends using auto-negotiation except under 
special circumstances. 



Note: Rejecting inbound connections improperly or manually configuring link 
settings improperly might cause the ProxySG to malfunction. Ensure that you 
know the correct settings before attempting either of these. If the ProxySG fails to 
operate properly after changing these settings, contact Blue Coat Technical 
Support. 



About Multiple IP Addresses 

The ProxySG allows you to bind multiple IP addresses to an interface, and 
typically, the assigned IP addresses are on the same subnet. Multiple IP addresses 
on an interface allows for managing one service under a specific IP and another 
service under a different IP. For example, you can assign one IP address for 
management services/ console access and another IP address for managing proxy 
traffic. In addition, you could assign unique IP addresses to manage different 
services, that is have HTTP traffic on one and native FTP on another. 

To configure a network adapter: 

1. Select Configuration > Network > Adapters > Adapters tab. 



Note: Different ProxySG models have different adapter configurations, and 
the appearance of the Adapters tab varies accordingly. 
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2. Select the adapter and interface to configure: 

a. In the Adapter/Interface area, select an adapter from the Adapter drop- 
down menu. 

b. If you have a multiple-interface adapter, select an interface from the 
drop-down list. 



Note: If this ProxySG supports it, the interfaces are labeled for WAN 
and LAN connections, which correspond to the interface labels on the 
ProxySG backplate. 



c. Notice that for each interface selected, status information displays. The 
current link status is displayed on the right-hand side of the pane. 

• Status: Interface status, Up or Down. 



Note: When the link status of an interface changes, a message is added 
to the event log. 



• Duplex: 

• Speed: The maximum transfer speed available through the 
interface, depending on the type of Ethernet technology. The 
values are: 10, 100, and 1000 Mbps. 



Note: An N/A status might indicate a network connectivity issue. 



• Full: The interface can simultaneously send and receive at the 
defined maximum speed (previous bullet). For example, a 100 
Mbps full duplex link can send up to 100 Megabits per second 
(Mbps) of data and simultaneously receive up to 100 Mbps of data. 
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• Half: The interface can only send data in one direction at a time. For 
example, a 100 Mbps half duplex link can only send and receive a 
combined maximum of 100 Mbps of data. 

For more information about network bridging, see Chapter 6: "Software 
and Hardware Bridges" on page 75. 

3. Click Settings. The Settings dialog displays, which contains three configuration 
option areas. 



4. 

5. 

6 . 



Dialog Area 





■ When receiving packets on this interface: 

O Allow transparent interception 
® Bypass transparent interception 
O Firewall incoming traffic 





The default is Allow transparent 
interception. The ProxySG performs 
normal proxy interception, as configured 
in Configuration > Services, for the traffic 
arriving on the interface. If you require 
this ProxySG to perform interception on 
traffic from a specific interface or set of 
interfaces, set the other interfaces to either 
bypass the traffic (pass it through but not 
intercept it) or firewall it (block it 
completely). 

For more detailed information, see "About 
Interception Options" on page 59. 



- Link Settings: 

O Automatically sense link settings 
® Manually configure link settings 

Duplex: O Fu H ©Half 

Speed: 100 megabit/sec v 

Il0 megabit/sec 

MAC address: OPPO^M^I 



Option 

Inbound connection options: 

• Allow transparent interception 

(default): The ProxySG intercepts the 
appropriate traffic based on settings 
configured in Configuration > 
Services; all other traffic is bridged 
or forwarded. 

• Bypass transparent interception: The 

ProxySG bridges or forwards all 
inbound traffic on this interface, 
regardless of the services 
configuration. 

• Firewall incoming traffic: The 

ProxySG drops all inbound 
connections on this interface, 
regardless of the services 
configuration. 



Link settings: 

• Automatically sense link settings 

(default, recommended): The 
ProxySG auto-negotiates the link 
settings for this interface. 

• Manually configure link settings: 

Select the options that meet your 
network requirements. This method 
requires a consistent configuration 
on the router or switch connected to 
this ProxySG. 



Click OK to close the dialog. 



Click Apply to save changes to the adapter /interface settings. 



Next step: 



• If you need to bind multiple IP addresses to an interface, proceed to Step 7. 

• If you require additional VLAN configuration, proceed to Step 8. 
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• Otherwise, click Apply; the adapter configuration is complete. Proceed to 
"Viewing Interface Statistics" on page 71 for verification. 




7. If applicable, bind multiple IP addresses to an interface. 



a. Select the Physical Interface. 

b. Click Edit. The Configure Interface IPs dialog displays. 

c. Click Add IP. The Add list item dialog displays. 

d. Specify the IP address and subnet mask; click OK to close the dialog 

e. Click OK. 



f. Click Apply. 
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r VLANs: 

8a c =- Native VLAN for interface 0:1 1 




8 b o( New VLAN | 

tj- 

8. If applicable, configure Virtual LAN (VLAN) options (see "About Link 

Settings" on page 60): 

a. By default, the native VLAN ID for any ProxySG interface is 1, as most 
switches by default are configured to have their native VLAN IDs as 1 . 
Only change this value if the native VLAN ID of the switch or router 
connected to this interface is a value other than 1 ; match that value 
here. 

b. To add VLANs other than the native VLAN to the interface, click New 
VLAN. The Configure Interface IPs dialog displays. 
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9. Configure the VLAN options: 

a. Specify the VLAN ID (VID) number of the VLAN accepted on this 
interface. 

b. Click Add IP to display the Add List Item dialog. 

c. Specify the VLAN IP address and subnet mask; click OK to close the 
dialog. 

d. The receiving packet and browser behavior is the same as for physical 
interfaces (see Table 5-1, "How each interception option affects 
connections." on page 59) with the exception of Use physical interface 
setting, which applies the same configuration to the VLAN as was set 
on the physical interface. 

e. Click OK in both dialogs. 

10. Click Apply. 
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Related CLI Syntax to Configure an Adapter/Native VLAN 

□ To enter configuration mode: 

SGOS# (config) interface fast-ethernet adapter : inter face 
SGOS# (config) interface adapter: interface 

□ The following VLAN subcommands are available: 

SGOS# (config interface adapter: interface) native-vlan # 

SGOS# (config interface adapter : interface . vlan_id) vlan-trunk {enable | 
disable 

Related CLI Syntax to Enable/Disable Transparent Interception 

□ For standard interfaces: 

SGOS# (config interface adapter : inter face) allow- intercept {enable | 
disable} 

□ For VLAN interfaces: 

SGOS# (config interface adapter: interface .vlan_id) allow-intercept 
{enable | disable | inherit} 

Related CLI Syntax to Manually Configure Link Settings 

□ To enter configuration mode for standard interfaces: 

SGOS# (config interface adapter : interface) {full-duplex | half-duplex} 
SGOS# (config interface adapter : interface) speed {10, 100, lgb} 

Related CLI Syntax for Rejecting Inbound Connections 

□ To enter configuration mode for standard interfaces: 

SGOS# (config interface adapter: interface) reject-inbound {enable | 
disable} 

□ To enter configuration mode for VLAN interfaces: 

SGOS# (config interface adapter: interface .vlanid) reject-inbound 
{enable | disable | inherit} 

Viewing Interface Statistics 

As traffic flows to and from the ProxySG, you can review statistics for each 
interface (including VLAN traffic). This allows you to verify your deployment is 
optimized. For example, if you notice that traffic flowing through the LAN 
interface is consistently near capacity, you might consider routing traffic 
differently or spreading the load to another ProxySG. 

To view interface-specific statistics: 

1. In the Management Console, select Statistics > Network > Interface History. 
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3. Select a data type: 



Data Type 


Description 


Bytes Sent 


The number of outgoing bytes sent from this interface or VLAN. 


Bytes 

Received 


The number of inbound bytes received on this interface or VLAN. 


Packets 

Sent 


The number of outgoing packets sent from this interface or VLAN. 


Packets 

Received 


The number of inbound packets received on this interface or VLAN. 


Input 

Errors 


The number of input and output errors that occurred on the interface 
(not applicable on VLANs). This information provides details that 
Blue Coat Technical Support uses to troubleshoot issues. 


Output 

Errors 



4. Select an interface to view. If an interface has attached VLANs, the tree 
expands to display the VLAN(s), which are also selectable. 

In the graph area, roll your mouse over data lines to view exact metrics. 

See Also 

Health Monitoring (Volume 9, Chapter 2) 
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Detecting Network Adapter Faults 

The ProxySG can detect whether the network adapters in an appliance are 

functioning properly. If the appliance detects a faulty adapter, it stops using it. 

When the fault is remedied, the ProxySG detects the functioning adapter and uses 

it normally. 

To determine whether an adapter is functioning properly: 

1. Check whether the link is active (that is, a cable is connected and both sides 
are up). 

2. Check the ratio of error packets to good packets: both sent and received. 

3. Check if packets have been sent without any packets received. 

4. Check the event log. If an adapter fault is detected, the ProxySG logs a severe 
event. In addition, the ProxySG logs an entry even when a faulty adapter is 
restored. 
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This chapter describes the SGOS hardware and software bridging capabilities. 
Network bridging through the ProxySG provides transparent proxy pass- 
through and failover support. 

Topics in this Chapter 

The following topics are covered in this chapter: 

□ "About Bridging" on page 75 

□ "About the Pass-Through Adapter" on page 77 

□ "Configuring a Software Bridge" on page 78 

□ "Configuring Programmable Pass-Through /NIC Adapters" on page 80 

□ "Customizing the Interface Settings" on page 83 

□ "Setting Bandwidth Management for Bridging" on page 83 

□ "Configuring Failover" on page 84 

About Bridging 

Bridging functionality allows each ProxySG to be easily deployed as a 
transparent redirection device, without requiring the additional expense and 
maintenance of L4 switches or WCCP-capable routers. Bridging is especially 
useful in smaller deployments in which explicit proxies or L4 switches are not 
feasible options. 

Bridges are used to segment Ethernet collision domains, thus reducing frame 
collisions. Unlike a hub, a bridge uses a frame's destination MAC address to 
make delivery decisions. Because these decisions are based on MAC 
addressing, bridges are known as Layer 2 devices. 

To make efficient delivery decisions, the bridge must discover the identity of 
systems on each collision domain, and then store this information in its 
bridging table. After learning the identity of the systems on each collision 
domain, the bridge uses the source MAC address of frames to determine from 
which interface a given system can be reached. 

A branch office that would take advantage of a bridging configuration is likely 
to be small; for example, it might have only one router and one firewall in the 
network, as shown below. 
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Figure 6-1 A Bridged Configuration 



To ensure redundancy, the ProxySG supports both serial and parallel failover 
modes. See "Configuring Failover" on page 84 for more information about serial 
and parallel failover configurations. 

About Traffic Handling 

Because the bridge intercepts all traffic, you can take advantage of the powerful 
proxy services and policies built into the ProxySG to control how that traffic is 
handled. If the ProxySG recognizes the intercepted traffic, you can apply policy to 
it. Unrecognized traffic is forwarded out. The following diagram illustrates this 
traffic handling flow. 




Figure 6-2 Traffic Flow Decision Tree 

Because policy can be applied only to recognized protocols, it is important to 
specify port ranges that will capture all traffic, even that operating on lesser- 
known ports. 
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About Bridging Methods 

The ProxySG provides bridging functionality by two methods: 

□ Software — A software, or dynamic, bridge is constructed using a set of 
installed interfaces. Within each logical bridge, interfaces can be assigned or 
removed. 

See "Configuring Programmable Pass-Through/ NIC Adapters" on page 80 for 
more information. 

□ Hardware — A hardware, or pass-through, bridge uses a 10/100 dual interface 
Ethernet adapter. This type of bridge provides pass-through support. 

See "About the Pass-Through Adapter" on page 77 for more information. 



Note: If you want to use an L4 switch or an explicit proxy instead of 
bridging, you must disable the bridging pass-through card. 



About the Pass-Through Adapter 

A pass-through adapter is a 10/100 dual interface Ethernet adapter designed by 
Blue Coat to provide an efficient fault-tolerant bridging solution. If this adapter is 
installed on a ProxySG, SGOS detects the adapter on system bootup and 
automatically creates a bridge — the two Ethernet interfaces serve as the bridge 
ports. If the ProxySG is powered down or loses power for any reason, the bridge 
fails open; that is, Web traffic passes from one Ethernet interface to the other. 
Therefore, Web traffic is uninterrupted, but does not route through the appliance. 



Important: This scenario creates a security vulnerability. 



After power is restored to the ProxySG, the bridge comes back online and Web 
traffic is routed to the appliance and thus is subject to that appliance's configured 
features, policies, content scanning, and redirection instructions. Note that 
bridging supports only failover; it does not support load balancing. 



Note: The adapter state is displayed on Configuration > Network > Adapters. 



Reflecting Link Errors 

When the ProxySG is deployed transparently with bridging enabled, link errors 
that occur on one interface can be reflected to the other bridge interface. This 
allows a router connected to the ProxySG on the healthy link to detect this failure 
and recompute a path around this failed segment. When the interface with the 
original link error is brought back up, the other interface is automatically 
restarted as part of the health check process. 

Reflecting link errors requires that two interfaces be available and connected in a 
bridging configuration; it also requires that the propagation- failure option is 
enabled. By default, propagation-failure is disabled. 
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Note: This feature is only applicable to a two-interface hardware or software 
bridge. The propagation-failure option sets itself to disabled in any other 
scenario. 



If the link goes down while propagation- failure is disabled, the previous link 
state is immediately reflected to the other interface if propagation-failure is 
enabled during this time. 

Configuring a Software Bridge 

This section describes how to use the Management Console or the CLI to link 
adapters and interfaces to create a network bridge. 

Before configuring a software bridge, ensure that your adapters are of the same 
type. Although the software does not restrict you from configuring bridges with 
adapters of different speeds (10/100 or GIGE, for example), the resulting behavior 
is unpredictable. 

To create and configure a software bridge: 

1. Select Configuration > Network > Adapters > Bridges. 

2. Click New. The Create Bridge dialog displays. 



78 



Chapter 6: Software and Hardware Bridges 




3. Configure bridge options: 

a. In the Bridge Name field, enter a name for the bridge — up to 16 
characters. The bridge name is case insensitive, that is, you cannot 
name one bridge ABC and another bridge abc. 

b. (Optional) If you want to assign the bridge to a failover group select it 
from the Failover Group drop-down list. 

c. See "Configuring Failover" on page 84 for more information about 
configuring failover. 

d. Click Add. The Add Bridge Interface dialog displays. 
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4. Configure the bridge interface options: 

a. From the Interface drop-down menu, select an interface. 

b. (Optional) To enable bridging loop avoidance, select Enable Spanning 
Tree. See "Bridging Loop Detection" on page 85 for more information 
about the Spanning Tree Protocol. 

c. If you are using firewall configurations that require the use of static 
forwarding table entries, add a static forwarding table entry that 
defines the next hop gateway that is on the correct side of the bridge. 
For more information on static forwarding table entries, see"Adding 
Static Forwarding Table Entries" on page 87. 

d. Click OK. 

e. Repeat Step 4 for each interface you want to attach to the bridge. 

5. Click OK to close the Create Bridge Interface and Create Bridge dialogs. 

6. Click Apply. 

Related CLI Syntax to Configure a Software Bridge 

SGOS# (config) bridge 

SGOS# (config bridge) edit bridge^name 

Configuring Programmable Pass-Through/NIC Adapters 

Some ProxySGs ship with a network adapter card that can be used as a pass- 
through adapter or as a Network Interface Card (NIC), depending on the 
configured mode. If the network adapter mode is set to disabled, the adapter 
interfaces can be used as NICs or as part of a software bridge. 
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If your appliance includes a programmable adapter card, the Edit Bridge dialog 
displays a Mode option that allows you to specify the card behavior. The following 
programmable adapter modes are available: 

□ Disabled — Disables the bridge and allows the adapter interfaces to be reused as 
NICs or as part of another bridge. 

□ Fail Open — If the ProxySG fails, all traffic passes through the bridge so clients 
can still receive data. 

□ Fail Closed — If the ProxySG fails, all traffic is blocked and service is 
interrupted. This mode provides the same functionality as a user-configured 
software bridge. 



Note: If you create a software bridge, the programmable bridge card mode is 
implicitly Fail Closed (if the appliance fails, the software bridge is non- 
functional). 



The following procedure describes programmable adapter configuration. 

To configure the function of the programmable adapter: 

1. Select Configuration > Network > Adapters > Bridges. 

2. In the Bridges section, select the bridge you want to configure. 

3. Click Edit. The Edit Bridge dialog displays. 
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4b 

4c 



Edit Bridge 



Bridge Name: 

Failover Group: 

Mode: 

■ d Propagate Failure 

■ | Clear Bridge Statistics 

Interfaces 

Interface 

m 

12:0 



Disabled 


V 


Disabled 


Fail Open 




Fail Clesed 





Add 



Edit 



L 



OK 



] C 



Cancel 



4. Configure the bridge options: 

a. Select the desired mode from the Mode drop-down list. 

b. If you have a two-interface bridge and want to enable link error 
propagation, select the Propagate Failure check box. 

c. (Optional) Click Clear Bridge Statistics to reset the traffic history of the 
bridge, which includes packet and byte counts, to 0. 

d. Click OK to save your changes and close the Edit Bridge dialog. 

5. Click Apply. 



Related CLI Syntax to Configure a Programmable Adapter Card 

SGOS# (config) bridge 

SGOS# (config bridge) edit bridge^name 
SGOS# (config bridge bridge_name) mode fail-open 
SGOS# (config bridge bridge_name) mode fail-closed 
SGOS# (config bridge bridge_name) mode disable 

Note: If the bridge adapters are not programmable, the mode commands are not visible. 
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Customizing the Interface Settings 

To further customize the bridge, edit the interface settings. 

Editing the interface settings allows you to 

□ Allow transparent interception. It is bypassed by default. You must configure 
the WAN interface to allow transparent interception. 



Note: If you have a MACH5 license, a programmable bridge card, and 
labeled WAN/ LAN interfaces, the WAN interface allows transparent 
interception by default. 

□ Firewall incoming traffic. Firewalls must be specifically configured. 

See Chapter 5: "Configuring Adapters and Virtual LANs" on page 57 for more 
information. 

The Bridge Settings options allow you to clear bridge forwarding table and clear 
bridge statistics. 

Setting Bandwidth Management for Bridging 

After you have created and configured a bandwidth management class for 
bridging, you can manage the bandwidth used by all bridges. Refer to Volume 5: 
Advanced Netzvorking for more information on bandwidth management. 

To configure bandwidth management for bridging: 

1. Select Configuration > Network > Adapters > Bridges. 

Adapters Bridges 



Bridging Bandwidth Class : 


<none> 

<none> 






j 


corp 


1 




Bridge Name 













2. In the Bridging Bandwidth Class drop-down menu, select a bandwidth 

management class to manage the bandwidth for bridging, or select <none> to 
disable bandwidth management for bridging. 



Note: This setting only controls the bandwidth class used by bypassed traffic 
on this bridge. To manage intercepted traffic, you must define a Manage 
Bandwidth policy (using VPM or CPL). 



3. Click Apply. 

Related CLI Syntax to Set a Bridging Bandwidth Class 

SGOS# (config bridge) bandwidth-class bridge_name 
SGOS# (config) bandwidth-management 
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SGOS# (config bandwidth-management) [ subcommands ] 

Configuring Failover 

In failover mode, two appliances are deployed, a master and a slave. The master 
sends keepalive messages ( advertisements ) to the slaves. If the slaves do not receive 
advertisements at the specified interval, the slave takes over for the master. When 
the master comes back online, the master takes over from the slave again. 

The SGOS bridging feature allows two different types of failover modes, parallel 
and serial. Hardware and software bridges allow different failover modes: 

□ Software bridges allow serial or parallel failover. However, note that if the 
ProxySG fails, serial failover also fails. 

□ Hardware bridges allow serial failover only. 

Parallel Failover 

In parallel failover mode, two systems are deployed side by side on redundant 
paths. In parallel failover, the slave does not actively bridge any packets unless 
the master fails. If the master fails, the slave takes over the master IP address and 
begins bridging. A parallel failover configuration is shown in the following 
figure. 




Because of the redundant paths, you must enable Spanning Tree to avoid bridge 
loops. See "Bridging Loop Detection" on page 85 for more information about STP. 



Serial Failover 

In serial failover mode, the slave is inline and continuously bridges packets, but 
does not perform any other operations to the bridged traffic unless the master 
fails. If the master fails, the slave takes over the master IP address and applies 
policy, etc. A serial configuration is shown in the following figure. 




Setting Up Failover 

Failover is accomplished by doing the following: 
□ Creating virtual IP addresses on each proxy. 
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□ Creating a failover group. 

□ Attaching the bridge configuration. 

□ Selecting a failover mode (parallel or serial). 

Both proxies can have the same priority (for example, the default priority). In that 
case, priority is determined by the local IP address — the ProxySG with the highest 
local IP will assume the role of master. 

Example 

The following example creates a bridging configuration with one bridge on 
standby. 



Note: This deployment requires a hub on both sides of the bridge or a switch 
capable of interface mirroring. 



□ ProxySG A — software bridge IP address: 10 . 0 . 0 . 2 . Create a virtual IP address 
and a failover group, and designate this group the master. 

SGOS_A# (config) virtual-ip address 10.0.0.4 

SGOS_A# (config) failover 

SGOS_A# (config failover) create 10.0.0.4 
SGOS_A# (config failover) edit 10.0.0.4 
SGOS_A# (config failover 10.0.0.4) master 
SGOS_A# (config failover 10.0.0.4) enable 

The preceding commands create a failover group called 10.0.0.4. The priority 
is automatically set to 254 and the failover interval is set to 4 0. 

□ ProxySG B — software bridge IP address: 10 . 0 . 0 . 3 . Create a virtual IP address 
and a failover group. 

SGOSB# (config) virtual-ip address 10.0.0.4 

SGOS^B# (config) failover 

SGOS^B# (config failover) create 10.0.0.4 
SGOS^B# (config failover) edit 10.0.0.4 
SGOS^B# (config failover 10.0.0.4) enable 

In the bridge configuration on each SG, attach the bridge configuration 
to the failover group: 

SGOS_A# (config bridge bridge_name) failover group 10.0.0.4 
SGOS^B# (config bridge bridge_name) failover group 10.0.0.4 

□ Specify the failover mode: 

SGOS_A# (config bridge bridge_name) failover mode serial 
SGOS_B# (config bridge bridge_name) failover mode serial 



Bridging Loop Detection 

Bridging now supports the Spanning Tree Protocol (STP). STP is a link 
management protocol that prevents bridge loops in a network that has redundant 
paths that can cause packets to be bridged infinitely without ever being removed 
from the network. 
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STP ensures that a bridge, when faced with multiple paths, uses a path that is 
loop-free. If that path fails, the algorithm recalculates the network and finds 
another loop-free path. 

The administrator can enable or disable spanning tree participation for the 
interface. 

Enable spanning tree participation: 

1. Select Configuration > Network > Adapters > Bridges. 

2. Select the desired bridge. 

3. Click Edit. 




4. In the Edit Bridge window, highlight the interface to configure and click Edit. 
The Edit Bridge Interface dialog displays. 
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Edit Bridge Interface [x] 




5. Click Enable Spanning Tree. 

6. Click OK to close the Edit Bridge Interface and Edit Bridge dialogs. 

7. Click Apply. 

Related CLI Syntax to Enable Spanning Tree Participation: 

SGOS# (config bridge bridge_name) spanning-tree adapter#-, interface# 
{enable | disable} 

Adding Static Forwarding Table Entries 

Certain firewall configurations require the use of static forwarding table entries. 
Failover configurations use virtual IP (VIP) addresses and virtual MAC (VMAC) 
addresses. When a client sends an ARP request to the firewall VIP, the firewall 
replies with a VMAC (which can be an Ethernet multicast address); however, 
when the firewall sends a packet, it uses a physical MAC address, not the VMAC. 

The solution is to create a static forwarding table entry that defines the next hop 
gateway that is on the correct side of the bridge. 

To create a static forwarding table: 

1. Select Configuration > Network > Adapters > Bridges. 

2. Select the bridge to edit and click Edit. The Edit Bridge Interface dialog 
displays. 
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3a 



3d 



3b 



3. Add the static forwarding table entry. 

a. In the Edit Bridge dialog, select the interface on which to create the 
static forwarding table entry. 

b. Click Edit. 

c. In the Edit Bridge Interfaces dialog, click Add. 

d. In the Add MAC dialog, add the MAC address of the next hop 
gateway and click OK. 

4. Click OK to close the Edit Bridge Interface and Edit Bridge dialogs. 

5. Click Apply . 

Related CLI Syntax to Create a Static Forwarding Table Entry 

SGOS# (config bridge bridge_name) static-fwtable-entry 
adapter#-, interface# mac-address 
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Bypass List Behavior 

The dynamic bypass list is handled differently, depending on the OS version. In 
SGOS 4.x, packets matching the dynamic bypass list are forwarded in the IP layer. 
In SGOS 5.x, the packets are forwarded in the bridge layer, which is more 
appropriate and efficient. For more information on using bypass lists in SGOS 5.x, 
refer to Volume 2: Proxies and Proxy Services. 

The behavior of the static bypass list stays the same. The packets are forwarded in 
IP layer. 
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This chapter describes how to distribute traffic originating at the ProxySG 
through multiple gateways. You can also fine tune how the traffic is distributed 
to different gateways. This feature works with any routing protocol (such as 
static routes or RIP). 



Note: Load balancing through multiple gateways is independent from the per- 
interface load balancing the ProxySG automatically does when more than one 
network interface is installed. 



Topics in this Chapter 

This chapter includes information about the following topics: 

□ "About Gateways" on page 91 

□ "ProxySG Specifics" on page 91 

□ "Switching to a Secondary Gateway" on page 92 

□ "Routing" on page 93 

About Gateways 

During the initial setup of the ProxySG, you optionally defined a gateway (a 
device that serves as entrance and exit into a communications network) for the 
ProxySG. 

By using multiple gateways, an administrator can assign a number of available 
gateways into a preference group and configure the load distribution to the 
gateways within the group. Multiple preference groups are supported. 

The gateway specified applies to all network adapters in the system. 

ProxySG Specifics 

Which gateway the ProxySG uses at a given time is determined by how the 
administrator configures the assignment of preference groups to default 
gateways. You can define multiple gateways within the same preference group. 
A ProxySG can have from 1 to 10 preference groups. If you have only one 
gateway, it automatically has a weight of 100. 

Initially, all gateways in the lowest preference group are considered to be the 
active gateways. If a gateway becomes unreachable, it is dropped from the 
active gateway list, but the remaining gateways within the group continue to 
be used until they all become unreachable, or until an unreachable gateway in a 
lower preference group becomes reachable again. If all gateways in the lowest 
preference group become unreachable, the gateways in the next lowest 
preference group become the active gateways. 
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In addition to a preference group, each gateway within a group can be assigned a 
relative weight value from 1 to 100. The weight value determines how much 
bandwidth a gateway is given relative to the other gateways in the same group. 
For example, in a group with two gateways, assigning both gateways the same 
weight value, whether 1 or 100, results in the same traffic distribution pattern. In a 
group with two gateways, assigning one gateway a value of 10 and the other 
gateway a value of 20 results in the ProxySG sending approximately twice the 
traffic to the gateway with a weight value of 20. 

Switching to a Secondary Gateway 

When a gateway goes down, the networking code detects the unreachable 
gateway in 20 seconds, and the switch over takes place immediately if a 
secondary gateway is configured. All configured gateways are affected, not just 
default gateways, as was the case in earlier releases. 

To configure multiple gateway load balancing: 

1. Select Configuration > Network > Routing > Gateways. 

Gateways Routing | RIP 

r IP gateways: 




2. Click New. The Add List Item dialog displays. 



92 



Chapter 7: Distributing Traffic Through Gateways 




3. Configure the gateway options: 

a. In the Gateway field, enter the gateway IP address, 

b. From the Group drop-down list, select the preference group for this 
gateway 

c. In the Weight field, enter the relative weight within the preference 
group. 

d. Click OK to close the dialog. 

4. Repeat steps 2 to 4 until IP addresses, groups, and weights have been defined 
for all of your gateways. 

5. Click Apply. 

Related CLI Syntax to Configure Multiple Gateway Load Balancing 

SGOS# (config) ip-default-gateway ip_address preference_group weight 



Routing 

By default, routing occurs transparently if the ProxySG can verify (trust) the 
destination IP addresses provided by the client. If the destination IP addresses 
cannot be trusted, the ProxySG uses static routes. 



Note: If your environment uses explicit proxy or Layer-4 redirection, or if the 
destination IP addresses cannot be verified by the ProxySG, static routes must be 
configured. 



Hardware or software bridges can be transparently routed if the destination IP 
address/hostname can be verified. If the client-provided destination IP address is 
not in the list of resolved IP addresses for the particular host, then the ProxySG 
uses static routes instead. For hostname-less protocols such as CIFS and FTP, the 
IP address can always be trusted. For other protocols, such as HTTP, RTSP, and 
MMS, which have a hostname that must be resolved, verification can be an issue. 
URL rewrites that modify the hostname also can cause verification to fail. 
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Transparent ADN connections that are handed off to an application proxy (HTTP 
or MAPI, for example) can utilize L2/L3 transparency. Also, transparent ADN 
connections that are tunneled but not handed off can utilize the functionality 



Note: IM is not supported with trust client addressing. In order to login and chat, 
the default router must have Internet access. Other IM features require direct 
connections, so static routes are required. 



This feature is not user-configurable. 

Using Static Routes 

If you use an explicit proxy or layer-4 redirection deployment, or a Blue Coat 
feature such as forwarding where the destination IP cannot be verified by the 
ProxySG, you can use static routes. 

A static route is a manually-configured route that specifies the transmission path 
a packet must follow, based on the packet's destination address. A static route 
specifies a transmission path to another network, and a default static route 
already exists. 

Situations in which static routes are used include: 

□ DNS load balancing. Sites that use DNS load balancing and return a single IP 
address cause a mismatch between the IP address provided by the client and 
the IP address resolved by the ProxySG. 

□ Anywhere that appropriate client-side routing information is unavailable, 
such as for forwarding hosts, dynamic categorization, and ADN peers. 



Note: For bridged deployments, transparent routing, in most cases, overrides 
any static route lookups. 



The routing table is a text file containing a list of IP addresses, subnet masks, and 
gateways. You are limited to 10,000 entries in the static routes table. The following 
is a sample router table: 

10 . 25 . 36.0 255 . 255 . 255.0 10 . 25 . 36.1 

10 . 25 . 37.0 255 . 255 . 255.0 10 . 25 . 37.1 

10 . 25 . 38.0 255 . 255 . 255.0 10 . 25 . 38.1 

When a routing table is installed, all requested URLs are compared to the list and 
routed based on the best match. 

You can install the routing table several ways. 

□ Using the Text Editor, which allows you to enter settings (or copy and paste 
the contents of an already-created file) directly onto the appliance. 

□ Creating a local file on your local system; the ProxySG can browse to the file 
and install it. 

□ Using a remote URL, where you place an already-created file on an FTP or 
HTTP server to be downloaded to the ProxySG. 
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□ Using the CLI inline static-route-table command, which allows you to 
paste a static route table into the ProxySG. 

□ Using the CLI static-routes command, which requires that you place an 
already-created file on an FTP or HTTP server and enter the URL into the 
ProxySG. 



Note: If you upgrade to SGOS 5.x from SGOS 4.x, entries from the central and 
local bypass lists are converted to static route entries in the static route table. The 
converted static route entries are appended after the existing static route entries. 
Duplicate static route entries are silently ignored. 

All traffic leaving the ProxySG is affected by the static route entries created from 
the SGOS 4.x bypass lists. 



Installing a Routing Table 

To install a routing table: 

1. Select Configuration > Network > Routing > Routing. 

2. From the drop-down list, select the method used to install the routing table; 
click Install. 

• Remote URL: 

Enter the fully-qualified URL, including the filename, where the routing 
table is located. To view the file before installing it, click View. Click Install. 
To view the installation results, click Results; close the window when you 
are finished. Click OK. 

• Local File: 

Click Browse to bring up the Local File Browse window. Browse for the file 
on the local system. Open it and click Install. When the installation is 
complete, a results window opens. View the results and close the window. 

• Text Editor: 

The current configuration is displayed in installable list format. You can 
customize it or delete it and create your own. Click Install. When the 
installation is complete, a results window opens. View the results, close 
this window, and click Close. 

3. Click Apply. 

Related CLI Syntax to Install a Routing Table 

To install a routing table, you can use the inline command to install the table 
directly, or enter a path to a remote URL that has an already-created text file ready 
to download. 

□ To paste a static route table directly into the CLI: 



95 



Volume I: Getting Started 



SGOS# (config) inline static-route-table end-of-file_marker 
paste static routing table 
eof 
ok 

□ To enter the static route table manually: 

SGOS# (config) inline static-route-table end-of-file_marker 

10 . 25 . 36.0 255 . 255 . 255.0 10 . 25 . 46.57 

10 . 25 . 37.0 255 . 255 . 255.0 10 . 25 . 46.58 

10 . 25 . 38.0 255 . 255 . 255.0 10 . 25 . 46.59 

eof 

ok 

□ To enter a path to a remote URL: 

SGOS# (config) static-routes path url 
SGOS# (config) load static-route-table 

Notes 

□ Any deployment that causes traffic to traverse the link from the ProxySG to 
the home router twice is not supported. Some WCCP configurations might 
not work as expected. 

□ If you use URL host rewrite functionality in your policies, mismatches can 
occur between the client-provided IP address and the resolved, rewritten 
hostname. In these cases, static routing is used. 
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This chapter describes various configuration tasks associated with Domain 
Name Services (DNS). During first-time installation of the ProxySG, you 
configured the IP address of a single primary DNS server. You can add one or 
more alternate DNS servers, as well as define custom DNS server groups. 

Topics in this Chapter 

This chapter includes information about the following topics: 

□ "About DNS" on page 97 

□ "About Configuring DNS Server Groups" on page 99 

□ "Adding DNS Servers to the Primary Group" on page 100 

□ "Adding DNS Servers to the Alternate Group" on page 101 

□ "Creating a Custom DNS Group" on page 102 

□ "Deleting Domains" on page 103 

□ "Deleting DNS Groups and Servers" on page 103 

□ "Resolving Hostnames Using Name Imputing Suffixes" on page 105 

□ "Caching Negative Responses" on page 106 



About DNS 

A hierarchical set of DNS servers comprises a Domain Name System. For each 
domain or subdomain, one or more authoritative DNS servers publish 
information about that domain and the name servers of any domains that are 
under it. 



Note: The DNS servers are configured in groups. For more information, see 
"About Configuring DNS Server Groups" on page 99. 



There are two types of queries, which are: 

□ Non-recursive, which means that a DNS server can provide a partial 
answer or return an error to the client 

□ Recursive, which means that the DNS server either fully answers the query 
or returns an error to the client 

ProxySG Using Non-Recursive DNS 

If you have defined more than one DNS server, the ProxySG uses the following 
logic to determine which servers are used to resolve a DNS host name and 
when to return an error to the client. 
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Note: Servers are always contacted in the order in which they appear in a group 
list. 



□ The ProxySG first checks all the DNS groups for a domain match, using 
domain-suffix matching to match a request to a group. 

• If there is a match, the servers in the matched group are queried until a 
response is received; no other DNS groups are queried. 

• If there is no match, the ProxySG selects the Primary DNS group. 

□ The ProxySG sends requests to DNS servers in the Primary DNS server group 
in the order in which they appear in the list. If a response is received from one 
of the servers in the Primary group, no attempts are made to contact any other 
Primary DNS servers. 

□ If none of the servers in the Primary group resolve the host name, the ProxySG 
sends requests to the servers in the Alternate DNS server group. (If no 
Alternate servers have been defined, an error is returned to the client.) 

• If a response is received from a server in the Alternate group list, there are 
no further queries to the Alternate group. 

• If a server in the Alternate DNS server group is unable to resolve the host 
name, an error is returned to the client, and no attempt is made to contact 
any other DNS servers. 



Note: The Alternate DNS server is not used as a failover DNS server. It 
is only used when DNS resolution of the Primary DNS server returns a 
name error. If the query to each server in the Primary list times out, no 
alternate DNS server is contacted. 



• If the ProxySG receives a referral (authoritative server information), DNS 
recursion takes over if it is enabled. See the next section, "ProxySG Using 
Recursive DNS" and "Enabling Recursive DNS" on page 99. 



Note: If the ProxySG receives a negative DNS response (a response with 
an error code set to name error), it caches that negative response. See 
"Caching Negative Responses" on page 106. 



ProxySG Using Recursive DNS 

If you have enabled recursive DNS, the ProxySG uses the following logic to 
determine how to resolve a DNS host name and when to return an error to the 
client. 

□ If the DNS server response does not contain an A record with an IP address 
but instead contains authoritative server information (a referral), the ProxySG 
follows all referrals until it receives an answer. If the ProxySG follows more 
than eight referrals, it assumes there is a recursion loop, aborts the request, 
and sends an error to the client. 
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Enabling Recursive DNS 

If you have a DNS server that cannot resolve all host names, it might return a list 
of authoritative DNS servers instead of a DNS A record that contains an IP 
address. To avoid this situation, configure the ProxySG to recursively query 
authoritative DNS servers. 

To enable recursive DNS: 

1. Select Configuration > Network > DNS > Groups. 

2. Select Enable DNS Recursion. 

3. Click Apply. 

Related CLI Syntax to Enable Recursive DNS 

SGOS# (config) dns recursion enable 

Related CLI Syntax to Disable Recursive DNS 

SGOS# (config) dns recursion disable 

About Configuring DNS Server Groups 

Customers with split DNS server configuration (for example, environments that 
maintain private internal DNS servers and external DNS servers) might choose to 
add servers to an Alternate DNS server group as well as to the Primary DNS 
server group. In addition, you can create custom DNS server groups. 

In the ProxySG, internal DNS servers are placed in the Primary group, while 
external DNS servers (with the Internet information) populate the Alternate 
group. 

The following rules apply to DNS server groups: 

□ You can add servers to the Primary and Alternate groups, but you cannot 
change the domain or add additional domains; these groups are defined at 
initial configuration. 

□ The Primary and Alternate DNS groups cannot be deleted. 

□ A custom DNS group must have at least one server in order to add domains. 

About DNS Health Checks 

Each time you add a DNS server to a group, the ProxySG automatically creates a 
DNS health check for that server IP address and uses a default configuration for 
the health check. For example, if you add a DNS server to a primary or alternate 
DNS group, the created health check has a default hostname of bluecoat.com. If 
you add a DNS server to a custom group, the longest domain name is used as the 
default hostname for the health check. 

After you add DNS servers to a group, we recommend that you check the DNS 
server health check configurations and edit them as required. For complete details 
about configuring DNS server health checks, see Volume 5, Advanced Networking, 
Chapter 14, Section E: "DNS Server Health Checks." 
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Adding DNS Servers to the Primary Group 

When you installed the ProxySG, you configured a Primary DNS server. You can 
add DNS servers to the Primary server group or delete DNS servers from the 
Primary group, but you cannot delete the group. 

To add DNS servers to the Primary group: 

1. Select Configuration > Network > DNS > Groups. 



Groups Imputing 

- DNS Groups 

Group Name Servers Domains 

primary 110.2.2.100 I* 

alternate [l0.2. 1.100 j* 




| New | | Edit | | Delete 

@ Enable DNS Recursion 

















Preview 


II 


Apply 


II 


Revert 


II 


Help 



2. Click Edit. The Edit DNS Forwarding Group dialog displays. 




3. Enter the IP address of each additional Primary DNS server and click OK. 

4. Click Apply. 
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Related CLI Syntax to Add a Primary DNS Server 

To add a primary DNS server: 

SGOS# (config) dns-f orwarding 

(config dns forwarding) edit primary 

(config dns forwarding primary) add server server_ip 

See Also 

a "About DNS" 

□ "Adding DNS Servers to the Alternate Group" 

□ "Creating a Custom DNS Group" 

□ "About Configuring DNS Server Groups" 
a "Promoting DNS Servers in a List" 

Adding DNS Servers to the Alternate Group 

To add DNS servers to the Alternate group: 

1. Select Configuration > Network > DNS > Groups. The list of DNS groups displays. 

2. Select the Alternate group and click Edit. The Edit DNS Forwarding Group dialog 
displays. 

3. Enter the IP address of each additional Alternate DNS server and click OK. 



Note: You can add IP addresses to the Alternate DNS group, but you cannot 
change the domain or add additional domains. This group is defined at initial 
configuration. 



4. Click Apply. 

Related CLI Syntax to Adding an Alternate DNS Server 

To add an alternate DNS server: 

SGOS# (config) dns-f orwarding 

(config dns forwarding) edit alternate 

(config dns forwarding alternate) add server server_ip 

See Also 

a "About DNS" 

□ "About Configuring DNS Server Groups" 

□ "Adding DNS Servers to the Primary Group" 

□ "Creating a Custom DNS Group" 
a "Promoting DNS Servers in a List" 
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Creating a Custom DNS Group 

Custom groups enable you to specify servers and domains for specific company 
needs (such as resolving internal or external hostnames) depending on how you 
have set up your primary and alternate DNS groups. 

Valid DNS entry formats are: 

example . com 
www . example . com 

Notes: 

□ You can create a maximum of 10 custom groups, and each custom group can 
contain a maximum of four DNS servers and eight domains. 

□ Groups do not accept wild cards, such as: 

* . example . com 

□ Groups do not partially match domain names, such as: 

* . example . com 
. example . com 

Further more: 

exam. com 

does not match queries for www . example . com. 

□ DNS record requirements have been relaxed, as discussed in RFC 2181. 
Review sections 10 and 11 for more information. 

To create a custom group: 

1. Select Configuration > Network > DNS > Groups. The list of DNS groups displays. 

2. Click New. The Create DNS Forwarding Group dialog displays. 

3. Enter a name for the DNS group. 

4. Enter the servers and the domains for the group, and click OK. The custom 
group displays in the DNS Groups list. 

5. Click Save. 

Related CLI Syntax to Create a Custom DNS Group 

To create a custom DNS group: 

SGOS# (config) dns-f orwarding 

(config dns forwarding) create group_alias server_ip 

See Also 

a "About DNS" 

□ "About Configuring DNS Server Groups" 

□ "Adding DNS Servers to the Primary Group" 

□ "Adding DNS Servers to the Alternate Group" 
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□ "Promoting DNS Servers in a List" 

Deleting Domains 

If a domain becomes defunct, you can easily delete it from a DNS group. In 
addition, you need to delete all domains associated with the last server in any 
DNS group before you can delete the server. 

To delete domains: 

1. Select Configuration > Network > DNS > Groups. The list of DNS groups displays. 

2. Select the DNS group in the list and click Edit. The Edit DNS Forwarding 
Group dialog displays. 

3. Delete domains, and click OK. 

4. Click Apply. 

Related CLI Syntax to Delete a Domain 

To delete a domain: 

SGOS# (config) dns-f orwarding 

(config dns forwarding) edit group_alias 

(config dns forwarding group_alias) remove domain domain 

See Also 

"Deleting DNS Groups and Servers" 

Deleting DNS Groups and Servers 

The following list describes the specific rules that apply when deleting DNS 
groups and servers. 

□ You cannot delete the Primary or Alternate DNS group; you can only delete a 
custom DNS group. 

□ You cannot delete the last server in any DNS group while there are still 
domains that reference that group; doing so returns an error message. 

To delete a DNS server: 

1. Select Configuration > Network > DNS > Groups. 

2. Select the DNS group from which to delete a server, and click Edit. The Edit DNS 
Forwarding Group dialog displays. 

3. Delete the server, then click OK. 

4. Click Apply. 
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To delete a custom DNS group: 

1. Select Configuration > Network > DNS > Groups. 

2. Select the custom DNS group to delete, and click Delete. A dialog box displays 
asking you to confirm your choice. 

3. Click OK to delete the group. 

Related CLI Syntax to Delete a DNS Server 

To delete a DNS server: 

SGOS# (config) dns-f orwarding 

(config dns forwarding) edit group_alias 

(config dns forwarding groupalias) remove server serverip 

Related CLI Syntax to Delete A Custom DNS Group 

To delete a custom DNS group: 

SGOS# (config) dns-f orwarding 

(config dns forwarding) delete group_alias 

See Also 

□ "Deleting Domains" 

a "Promoting DNS Servers in a List" 

Promoting DNS Servers in a List 

Using the CLI, you can promote DNS servers in the list for any DNS forwarding 
group. 

To promote DNS servers in a list: 

# (config dns forwarding) edit group_alias 

This changes the prompt to: 

# (config dns forwarding group) 

# (config dns forwarding group) promote server_ip #This promotes the 
specified server IP address in the DNS server list the number of places 
indicated. You must use a positive number. If the number is greater than the 
number of servers in the list, the server is promoted to the first entry in the list. 

See Also 

a "Adding DNS Servers to the Primary Group" 
a "Adding DNS Servers to the Alternate Group" 
a "Creating a Custom DNS Group" 

□ "Deleting DNS Groups and Servers" 
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Resolving Hostnames Using Name Imputing Suffixes 

The ProxySG queries the original hostname before checking imputing suffixes 
unless there is no period in the hostname. If there is no period in the hostname, 
imputing is applied first. 

The ProxySG uses name imputing to resolve hostnames based on a partial name 
specification (DNS name imputing suffix). When the ProxySG submits a 
hostname to the DNS server, the DNS server resolves the hostname to an IP 
address. 

The ProxySG then tries each entry in the name-imputing suffixes list until the 
name is resolved or it reaches the end of the list. If by the end of the list the name 
is not resolved, the ProxySG returns a DNS failure. 

For example, if the name-imputing list contains the entries example . com and com, 
and a user submits the URL http: //www. eedept, the ProxySG resolves the host 
names in the following order. 

www . eedept 

www . eedept . example . com 
www . eedept . com 

Adding and Editing DNS Name Imputing Suffixes 

Using name imputing suffixes is particularly useful for a company's internal 
domains. For example, it can enable you to simply enter Webserver rather than the 
more elaborate webServer.inOurInternalDomain.ForOurCompany.com. Also, this 
resolves any problem with external root servers being unable to resolve names 
that are internal only. 

To add names to the imputing list: 

1. Select Configuration > Network > DNS > Imputing. 

The Imputing tab displays. 

2. Click New. The Add List Item dialog displays. 




3. Enter the DNS name imputing suffix and click OK. 

The name displays in the DNS name imputing suffixes list. 

4. Click Apply. 
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Related CLI Syntax to Add Names to the Imputing List 

To add names to the imputing list: 

SGOS# (config) dns imputing name 

To edit DNS name imputing suffixes: 

1. Select Configuration > Network > DNS > Imputing. 

2. Select a name in the list and click Edit. The Edit List Item dialog displays. 




3. Edit the name imputing suffix as required and click OK. 

4. Click Apply. 

Changing the Order of DNS Name Imputing Suffixes 

The ProxySG uses imputing suffixes according to the list order. You can organize 
the list of suffixes so the preferred suffix displays at the top of the list. 

Note: This functionality is only available through the Management Console. You 
cannot configure it using the CLI. 



To change the order of DNS name imputing suffixes: 

1. Select Configuration > Network > DNS > Imputing. 

2. Select the imputing suffix to promote or demote. 

3. Click Promote entry or Demote entry, as appropriate. 

4. Click Apply. 

Caching Negative Responses 

By default, the ProxySG caches negative DNS responses sent by a DNS server. 
You can configure the ProxySG to set the time-to-live (TTL) value for a negative 
DNS response to be cached. You can also disable negative DNS response caching. 



Note: The ProxySG generates more DNS requests when negative caching is 
disabled. 
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The ProxySG supports caching of both type A and type PTR DNS negative 
responses. 

This functionality is only available through the CLI. You cannot configure DNS 
negative caching through the Management Console. 

To configure negative caching TTL values: 

From the (config) prompt: 

SGOS# (config) dns negative-cache- ttl-override seconds 

where seconds is any integer between 0 and 600. 

Setting the TTL value to 0 seconds disables negative DNS caching; setting the TTL 
setting to a non-zero value overrides the TTL value from the DNS response. 

To restore negative caching defaults: 

From the (config) prompt): 

SGOS# (config) dns no negative-cache-ttl-override 
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This chapter describes how to back up your configuration and save it on a 
remote system so that you can restore it in the unlikely event of system failure 
or replacement. ProxySG configuration backups are called archives. 

The archive, taken from the running configuration, contains all system settings 
differing from system defaults, along with any installable lists configured on 
the ProxySG. 

You should regularly archive the ProxySG configuration so that you can restore 
it to its previous state in case of error. Also, certain conditions require a 
complete restoration of the system configuration, for example, if you are 
upgrading all the disk drives in a system. You should also archive the system 
configuration before performing any software or hardware upgrade or 
downgrade. 

Existing configuration archives (modified to include only general parameters, 
not system-specific settings) can also be used to propagate configuration 
settings to newly-manufactured ProxySG appliances. This process is called 
configuration sharing. 

Before Reading Further 

Before reading this chapter, you should be familiar with the concepts in the 
following user guides: 

□ The device authentication information in Volume 5: Advanced Networking. 

□ The X.509 and SSL information in Volume 4: Securing the Blue Coat ProxySG 
Appliance. 

Topics in this Chapter 

The following topics are covered in this chapter: 

a Section A: "Archiving Tasks Quick Reference" on page 110 

a Section B: "Overview of the Archiving and Restoration Process" on page 113 

a Section C: "About What is Not Archived" on page 115 

a Section D: "Planning for Archive Creation and Restoration" on page 116 

a Section E: "Creating Configuration Archives" on page 125 

a Section F: "Restoring a Configuration Archive" on page 131 

a Section G: "Sharing Configurations" on page 137 

a Section H: "Troubleshooting" on page 139 
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Section A: Archiving Tasks Quick Reference 

Section A: Archiving Tasks Quick Reference 

The following table lists common host agent management tasks and the location 
of the Operations Manager user-interface page that enables you to complete them. 



Table 9-1 Archiving Task Table 



If You Want to... 


Go To... 


Understand archiving terminology 


"Terminology" on page 110 


Understand the archive and restoration 
process 


"Overview of the Archiving and 
Restoration Process" on page 113 


Find out what is not archived 


"About What is Not Archived" on page 
115 


Learn about the archive types 


"Selecting a Configuration Archive 
Type" on page 116 


Understand signed archives 


"Using Signed and Unsigned Archives" 
on page 117 


Learn how to save encrypted passwords 


"Saving Encrypted Passwords" on page 
118 


Create an unsigned archive 


"Creating and Saving an Unsigned 
Configuration Archive" on page 125 


Create a signed archive 


"Creating and Saving a Signed 
Configuration Archive to Local Disk" on 
page 126 


Upload an archive to a remote server 


"Creating and Uploading an Archive to 
a Remote Server" on page 127 


Understand file name identifiers 


"Adding Identifier Information to 
Archive Filenames" on page 130 


Restore an archive 


"Restoring an Archive" on page 131 


Share Configurations 


"Sharing Configurations" on page 137 


Troubleshoot archive configuration 


"Troubleshooting" on page 139 



Terminology 

Familiarize yourself with the following terms. 

Source Device 

The ProxySG used to generate the configuration archive. 

Target Device 

The ProxySG you are installing the configuration archive onto. 
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Signed Archive 

A configuration backup that is cryptographically signed with a key known only 
to the signing entity — the digital signature guarantees the integrity of the content 
and the identity of the originating device. You can then use a trusted CA 
Certificate List (CCL) to verify the authenticity of the archive. 

Unsigned Archive 

A configuration backup that is created without a digital signature. There is no 
way to programmatically verify the integrity of an unsigned archive. 

configuration-passwords-key 

Am SSL keyring that contains a keypair but not a certificate. This keyring is used 
to encrypt passwords in the show configuration command. You must record the 
configuration-passwords-key data to restore a configuration archive onto a 
device other than the source device. 

Key Pair 

In SSL, the combination of private and public keys that are used to encrypt and 
decrypt data. Public keys are provided to other hosts so that data can be 
encrypted; private keys are used to decrypt data. The public key is "trusted" 
when it is guaranteed to belong to an entity by a trusted certificate authority (CA). 

Keyring 

A repository for encryption key pairs and optionally, certificates and certificate 
signing requests (CSRs). 

Appliance Certificate 

Am X.509 certificate that contains the hardware serial number of a specific 
ProxySG device as the CommonName (CN) in the subject field. This certificate 
then can be used to authenticate the ProxySG whose hardware serial number is 
listed in the certificate. Information from the presented certificate is extracted and 
used as the device ID. The appliance certificate can be used to sign archives; the 
signature guarantees the authenticity of the archive. 

Certificate Authority (CA) 

A CA is a trusted, third-party organization or company that issues digital 
certificates used to create digital signatures and public key/ private key pairs. The 
role of the CA is to guarantee that the individuals or company representatives 
who are granted a unique certificate are who they claim to be. When using signed 
archives, you must have a CA guarantee the archive signature (or you can use a 
self-signed certificate). 

CA Certificate List (CCL) 

A CCL contains a subset of the CA Certificates available on the ProxySG and 
allows the administrator to control the set of CA certificates trusted for a 
particular set of SSL connections. A CCL is required to validate signed archives. 
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You must ensure that the CCL used to verify the authenticity of signed archives 
includes the CA that signed the signing certificate (or includes the signing 
certificate itself, if the certificate is self-signed). 



112 



Chapter 9: Backing Up the Configuration 



Section B: Overview of the Archiving and Restoration Process 

Section B: Overview of the Archiving and Restoration Process 

Unless you restore the SSL configuration-passwords-key keyring from the source 
device, archives can only be restored onto the same device that was the source of 
the archive. This is because the encrypted passwords in the configuration (login, 
enable, FTP, etc.) cannot be decrypted by a device other than that on which it was 
encrypted. For more information, see "Saving Encrypted Passwords" on page 118. 

The following procedure describes the high-level steps required to create and 
restore a configuration archive. 

1. Record the configuration-passwords-key data on the source ProxySG, as 
described in "Option 1: Recording SSL Keyring and Key Pair Information" on 
page 118. If you need to restore the archive onto a different appliance, you 
must have this data. 

Do not lose the password used to encrypt the private key. If you do, you will 
not be able to recover your private keys. 

2. Record any other SSL keyring data you want to save. 

3. If you are creating an unsigned archive, go to Step 5. Otherwise, go to Step 4. 

4. Verify that the source ProxySG has an appliance certificate, as described in 
"Determining if the ProxySG Has an Appliance Certificate" on page 117. If it 
does not have an appliance certificate: 

a. Create a keyring on the appliance. 

A keyring contains a public/ private key pair. It can also contain a 
certificate signing request or a signed certificate. 

b. Create a Certificate Signing Requests (CSR) and send it to a Certificate 
Signing Authority (CA). 

c. Have the CA sign the CSR. 

To get more information about appliance certificates, refer to the X.509 
certificate information in Volume 4: Securing the Blue Coat ProxySG Appliance. 

5. Archive the configuration, as described in "Creating Configuration Archives" 
on page 125. 

6. Store the archive in a secure location. 

7. When you are ready to restore the archive, import the configuration- 
passwords-key onto the target device, as described in "Importing an Existing 
Key Pair and Certificate" on page 134. 

8. Restore the archive, as described in "Restoring a Configuration Archive" on 
page 131. 

Figure 9-1 on page 114 describes the archive creation process. 
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Figure 9-1 Flow Chart of Archive Creation Process 

See Also 

□ "Archiving Tasks Quick Reference" on page 110 

□ "Planning for Archive Creation and Restoration" on page 116 

□ "Troubleshooting" on page 139 
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Section C: About What is Not Archived 

Archiving saves the ProxySG appliance configuration only. Archives do not save 
the following: 

□ Cache objects 

□ Access logs 

□ Event logs 

□ License data (you might need to reapply the licenses) 

□ Software image versions 

□ SSL key data 

See "Saving Encrypted Passwords" on page 118 for more information. 

□ Content-filtering databases 
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Section D: Planning for Archive Creation and Restoration 

The following table lists planning tasks to consider before creating a configuration 
archive, and it describes where to find more information. 



Table 9-2 Configuration Archive Planning Considerations. 



Task 


Go to... 


1. Select the appropriate archive type. 


"Selecting a Configuration Archive 
Type" on page 116 


2. Choose to use a signed or unsigned 
archive. 


"Using Signed and Unsigned Archives" 
on page 117 


3. Determine how to treat encrypted 
passwords. 


"Saving Encrypted Passwords" on page 
118 


4. Select an upload transport. 


"Selecting an Upload Transport 
Method” on page 124 



Selecting a Configuration Archive Type 

Three different archive types are available. Each archive type contains a different 

set of configuration data: 

□ Configuration - post setup: This archive contains the configuration on the current 
system — minus any configurations created through the setup console, such as 
the IP address. It also includes the installable lists but does not include SSL 
private key. Use this archive type to share an appliance's configuration with 
another. See "Sharing Configurations" on page 137 for more information. 

□ Configuration - brief: This archive contains the configuration on the current 
system and includes the setup console configuration data, but does not 
include the installable lists or SSL private key and static route information. 



Note: An installable list is a list of configuration parameters that can be 
created through a text editor or through the CLI inline commands and 
downloaded to the ProxySG from an HTTP server or locally from your PC. 
Configurations that can created and installed this way include the SG Client, 
archiving, forwarding hosts, SOCKS gateways, ICP, policy files, and 
exceptions. 



□ Configuration - expanded: This is the most complete archive of the system 
configuration, but it contains system-specific settings that might not be 
appropriate if pushed to a new system. It also does not include SSL private 
key data. If you are trying to create the most comprehensive archive. Blue 
Coat recommends that you use the configuration-expanded archive. 
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Using Signed and Unsigned Archives 

The ProxySG provides two methods for creating archives, signed and unsigned. A 
signed archive is one that is cryptographically signed with a key known only to 
the signing entity — the digital signature guarantees the integrity of the content 
and the identity of the originating device. You can then use a trusted CA 
Certificate List (CCL) to verify the authenticity of the archive. 

Use signed archives only when security is high priority. Otherwise, use unsigned 
archives. 



Note: Refer to the CCL information in Volume 4: Securing the Blue Coat ProxySG 
Appliance for more information about CCLs and SSL. 



Identifying Signed Archives 

A signed archive is a tar file that contains the following files: 

□ show configuration output 

□ pkcs#7 detached signature 

Signed archives can be identified by the .bcsc extension. 

Signing guarantees that the archive has not been modified. If you modify a signed 
archive, you must subsequently restore it as an unsigned archive. 



Note: If you created a signed archive and want to verify its authenticity before 
modifying it, use OpenSSL or another tool to verify the signature before 
making modifications. (The use of Open SSL is beyond the scope of this 
document.) Because a signed archive contains the output of the show 
configuration command, you can extract the show configuration command 
output, modify it as required, and treat the archive as unsigned thereafter. 



If you have enforced signed archive installation by selecting the Enforce installation 
of signed archives option, non-signed archives cannot be uploaded to the ProxySG. 

Determining if the ProxySG Has an Appliance Certificate 

To create signed archives, your appliance must have an SSL certificate guaranteed 
by a CA. If your appliance has a built-in appliance certificate, you can use it and 
the corresponding appliance-cci CCL to sign the archive. Devices manufactured 
before July 2006 do not support appliance certificates. 

To determine if your device has an appliance certificate: 

1. Use an SSH client to establish a CLI session with the ProxySG. 

2. Enter enable mode: 

SGOS # enable 

3. Enter the following command: 

SGOS # show ssl certificate appliance-key 
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The appliance certificate displays if the appliance has one. Otherwise, the 
following error is displayed: 

Certificate "appliance-key" not found 

If your appliance does not have a built-in appliance certificate, you can obtain one 
or specify a CA Certificate List (CCL) to use to verify the authenticity of your 
signed archive. For more information, refer to the ProxySG authentication 
information in Volume 5: Advanced Networking. 

Saving Encrypted Passwords 

Encrypted passwords (login, enable, FTP, etc.) cannot be decrypted by a device 
other than that on which it was encrypted — unless you restore the 
configuration-passwords-key keyring from the device on which the archive was 
created. This keyring is used to encrypt and decrypt the passwords and the 
passwords cannot be restored without it. 

Therefore, to install a configuration archive onto another device, you must do one 
of the following: 

□ Restore the original configuration-passwords-key keyring 

□ Change the encrypted passwords to clear text so that they can be regenerated. 
The following sections describe these options. 



Note: Hashed passwords do not have to be changed to clear text. When you 
restore the archive, they are restored as specified on the source device. The 
difference between hashing and encryption is that encryption enables 
information to be decrypted and read, while hashing is a mathematical 
function used to verify the validity of data. For example, a system might not 
need to know a user's password to verify that password. The system can rim a 
hash function on the password and confirm that the mathematical result 
matches that specified for the user. 



Option 1: Recording SSL Keyring and Key Pair Information 

For security reasons. Blue Coat recommends that you do not change encrypted 
passwords to clear text. Instead, preserve the configuration-passwords-key 
keyring on the source device (the appliance that you created the archive from) 
and import that keyring to the target device before you restore the archive. 

You can also use the following procedure to save any other keyrings required to 
reload SSL-related configuration that references those keyrings. 

To record the configuration-passwords-key keyring on the source ProxySG: 

1. Copy the following template to a text file and use it to record the certificate 
information so that you can import and restore it later. 



Note: The following example is shown in smaller text to preserve the 
structure of the commands. 
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I 

ssl ; switches from config mode to config ssl 

i 

inline keyring show conf iguration-passwords-key "end-inline" 

i 

end-inline 

inline keyring show default "end-inline" 

i 

end-inline 

i 

inline certificate default "end-inline" 

i 

end-inline 

i 

! repeat this process for each keyring. Be sure to import the private 
key first, then the keyrings certificate 

i 

exit ; returns to config mode 

i 



Do not specify your passwords; the system will prompt you for them when 
you restore the keys (SGOS 5.3 and later). You can modify the template to 
include other keyrings and certificates. 

2. From the CLI, access the config prompt (using the serial console or SSH): 

sgos # config terminal 

3. Enter the following commands: 

sgos # (config) ssl 

sgos # (config ssl) view keyring 



A listing of existing keyrings (and certificates) is displayed. 
For example (your keyrings might be different): 



sgos # (config ssl) view keyring 



Keyring ID: 

Private key showability: 
Signing request: 
Certificate : 



appliance-key 

no-show 

present 

absent 



Keyring ID: 

Private key showability: 
Signing request: 
Certificate : 



conf iguration-passwords-key 

show 

absent 

absent 



Keyring ID: 

Private key showability: 
Signing request: 



default 

show 

absent 
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Certificate : 

Certificate issuer: 
Certificate valid from: 



present 

Blue Coat SG200 Series 
Dec 04 20:11:04 2007 GMT 



Certificate valid to: Dec 03 20:11:04 2009 GMT 

Certificate thumbprint: 

9D:B2 :36:E5 :3D:B7 : 88 :21 :CB: 0A: 08 : 39 :2C:A1 : 4B:CB 



Keyring ID: 

Private key showability: 
Signing request: 
Certificate : 

Certificate issuer: 
Certificate valid from: 
Certificate valid to: 



passive-attack-protection-only-key 

show 

absent 

present 

Blue Coat SG200 Series 
Dec 04 20:11:07 2007 GMT 
Dec 03 20:11:07 2009 GMT 



Certificate thumbprint: 

0B : AD :07:A7:CF:D9:58:03:89:5B:67:35:43:B9:F2:C9 

4. Enter the following command: 

sgos #(config ssl) view keypair des3 conf iguration-passwords-key 



Note: The aesi28 and aes256 encryption options are also supported. 



5. When prompted, enter an encryption key password: 

Encryption key: ***** 

Confirm encryption key: ***** 

This password is used to encrypt the private-key before displaying it. After 
confirming the password, the ProxySG displays the encrypted private-key 
associated with that keyring. 



Important: Do not lose the password used to encrypt the private key. If you 

do, you will not be able to recover your private keys. 

For example: 

sgos #(config ssl) view keypair des3 configuration-passwords-key 
Encryption password: ***** 



Confirm encryption password: ***** 

BEGIN RSA PRIVATE KEY 

Proc-Type: 4, ENCRYPTED 

DEK-Info: DES-EDE3-CBC, D542F10E3FFF899F 

aFqxQNOD+32 1 IXdQ j CGmT+adeQqMiQDAyCOvWdta J+OmD j ITpd7bwi j cxWA8 9RB8 
y65NSiaOUmTClY9MM4 j 6T/fXhBspEu7Wyc/nM+005pJldxTmZgPig6TiIi01XtMI 
ymCLolx j Ar+vFSx7 j i 6 j UT13 JxZHf ksNd9DS0 6DHLr 6hJNERDi 9dGog5 61 zlwBo8 
zvs0x4PqB+mq05qewmReMs 9tnuLkGgBXguH+2Nw9hI0WKEa9KPFWrznD/ + zEZbEo 
nM+VOwn3nWuqcfRLFoSUP2QBZ581pU3XAUydabBnOuBOMR4a3CtF/W/vOp71 j J9o 
JL6Ao/S46A4UgPkuswGMYXolkG3K2 J/Ev4nMBua6HSZgM87DxvMSiCZlXxlKlBqv 
F9P+llo3mdR3g2LzKlDLTvlcA9pEPbW65gmnpGj /WLqhEyNPm+DkplxMtMESxNqM 



120 



Chapter 9: Backing Up the Configuration 



Section D: Planning for Archive Creation and Restoration 

4attb8fXAEcRI+liUWpjxnycqlm+dcFqq6/bLixYSQ4HGXFLx5qTot+FtIvB5h3g 
KwQusgaLVTiesn9K7BQK4w jX JKlDclIrog+ETlf kxt j 2oA5/ 7HN1 OArOogBxsZL j 
0LS5fwVfHNkuyNLUXZSAiLLoIqFIvtRiRf iWe3e/e JvazIaErEk4 ONvIaaXPl j 9p 
ENzK2dw9WS7xtcU5kAcdoiXl lFONauKDVUkHwhvqz3KnMtlp81 f kdUpiDlxaVfMg 
s2FApgj AsYciE JxDUf PLzYVlvpOpx6DW3tODOAlEKkPVNmd9RzlnXj k2CPTdPErC 
pKN+EIKs2kqpRE6hHu37zzN06ipPNu2cCSHI/ozc0X4= 

END RSA PRIVATE KEY 

6. Copy the configuration-passwords-key and paste it into the template under 

the inline keyring show configuration-passwords-key "end-inline" in the 

template. For example: 

inline keyring show configuration-passwords-key "end-inline" 

BEGIN RSA PRIVATE KEY 

Proc-Type: 4, ENCRYPTED 

DEK-Info: DES-EDE3-CBC, 2F6148C8A9902D7F 

HJjGKxpkcWBXj 42 4FhyQJPKRdgHUIxl2C6HKigth6hUgPqsS Jj 958FbzEx6ntsB 
H+jXj34Ni6U94/ 9ugYGEqWLCqed77Ml/WA4s 6U5TCI 9f ScVuGaoZ0EVhx4 81I3N 
LGQplOJXmrOL5vNj /el/LSeC0Hg+7ASyY/PaFr 9Dk8nRqAhoWMM/PQEl kvAxuXzE 
8hccf Zaal lHIMiPWfNzxf lRXIEzA2NcUirDHO63/XU3eOCis8hXZvwfuC+DWw0Am 
tGVpxhZVN2Knf zSvaBAVYMh/ lGsxdE Jj j dNhzSu3uRVmSizl tPyAbz5tEG4Gzbae 
s JY/Fs8Tdmn+zRPE5nYQ/OtwRGWXzwXOeW+khafNE3iQlu6 j xbST6f CVn2bxw+q/ 
bB/dEFUMxreYj A08 /Tu8 6R9ypa3a+uzrXULixglLnBcnoSvOU+co5HA6 JuRohc5v 
86ZPklQ9V4xvApY/+3Q+2mF9skJPsOVOHtYWtrylg9Puwl7TE56+kOEAOwU6FWd 
dTpGJRguh71FVmlQ12 18 7NEoyHquttlIHxRPEKRvNxgCzQI3GEOfmD9wcbyxdlnT 
X11U2 YgwwwHOgz JHBQPI f PhE9wJTedmldhW2 68kPFonclUY3dZTqOtiOLwtDf syx 
For zG9 JHhPmlUgLtuj siG5Cg8S183GSyJFqZs8VKxTyby7xa/rMk j tr/lpS + + 8Tz 
GZ4PimFJMObgcMsZq6DkOs5MmLSRCIlgd3clPSHjcfp+H4VuOOPIPL98YYPvcV9h 
0Io/zDb7MPj IT5gYPku8 6f 7/ INIimnVj 2R0a0iPYlbKX7ggZEfWDPw== 

END RSA PRIVATE KEY 

7. If a certificate is associated with a keyring, enter the following command: 

sgos #(config ssl) view certificate keyring-name 

For example: 

sgos #(config ssl) view certificate configuration-passwords-key 
BEGIN CERTIFICATE 

MIICUzCCAbygAwIBAgIEFm6QWzANBgkqhkiG9wOBAQUFADBuMQswCQYDVQQGDAIg 
IDETMBEGAlUECAwKU2 9t ZS lTdGFOZTEfMBOGAlUECgwWQmxl ZSBDb2 FO IFNHMj Aw 
I FNlcml 1 c zETMBEGAl UECwwKND YwNTA2MDAwMTEUMBI GA1 UEAwwLMTAuOS 4 1 OS 4 y 
MTAwHhcNMDcxM j AOMj AxMTA3WhcNMDkxM j AzMj AxMTA3Wj BuMQswCQYDVQQGDAIg 
I DE TMBE GA 1 UECAwKU 2 9 1 Z S 1 T dG F 0 Z TE f MB 0 GA 1 UEC gwWQmx lZSBDb2F0I FNHM j Aw 
IFNI cml 1 c zETMBEGAl UECwwKND YwNTA2MDAwMTEUMBI GA1 UEAwwLMTAuOS 4 1 OS 4 y 
MTAwgZ8wDQY JKoZIhvcNAQEBBQADgYOAMIG JAoGBAJ/F/ Sn3CzYvbFPWDD03g9Y/ 

03 j wCrcXLU8cki 6SZUV1 9blgZBTgBY3KyD12baqZN12QGwkspEtDI4 5G3/K2GRIF 
REs3mKGxY7fbwgRpoL+nRT8w9qWH0393pGrlJKFldXbY0zn3p31EXUuGRfXkIqeA 
91 9uvOD5gOXOBEzrvDRnAgMBAAEwDQY JKoZIhvcNAQEFBQADgYEASgIR9r2MuRBc 
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ltHq/Lb5r IXnl3wFZENd/vi054 YOiWl ZixlpCBbDI kef 3DdJZLxVy3x7Gbw320fE 
3a7kf IMvVKWmNO+syAn4B2yasyOnxbSyOci JqlC42yP J+B j lMuYDmgIvMP6ne5UA 
gYYhe/koamOZNcIuaXrAS2v2 tYevrBc= 

END CERTIFICATE 

8. Copy the certificate and paste it into the template under the appropriate 

inline certificate cert_name "end-inline" line in the template. 

9. Optional — For each named keyring that you want to restore, repeat steps 4 to 

8 . 



Note: SGOS 5 .x has an appliance-key keyring. This keyring's private key is 
not viewable, and cannot be transferred to another ProxySG. The default and 
passive-attack-protection-oniy-key keys typically do not need to be 
restored either. 



10. Save the password information (that you used to encrypt the keys) in a secure 
place, for example, a restricted access cabinet or safe. 

After saving this data, create a configuration archive as described in "Creating 
Configuration Archives" on page 125. When you are ready to restore the archive, 
you must first restore the SSL data on the target appliance as described in 
"Importing an Existing Key Pair and Certificate" on page 134. 

Example: Completed SSL Data Template 

The following example shows a completed template. When you restore the data 
to the appliance, you will be prompted for the encryption password that you used 
to encrypt the keys. 



Note: The commands in the following example are bounded by the document 
text area and wrap to the next line. They are not shown here as they would 
appear in the CLI. See Step 1 in "Option 1: Recording SSL Keyring and Key Pair 
Information" on page 118 to view an example of how the commands should 
appear. 



ssl ; switches from config mode to config ssl 

I 

inline keyring show conf iguration-passwords-key "end-inline" 

BEGIN RSA PRIVATE KEY 

Proc-Type: 4, ENCRYPTED 

DEK-Info: DES-EDE3-CBC, 2F6148C8A9902D7F 

HJjGKxpkcWBXj 42 4FhyQJPKRdgHUIxl2C6HKigth6hUgPqsS Jj 958FbzEx6ntsB 
H+jXj34Ni6U94/ 9ugYGEqWLCqed77Ml/WA4s 6U5TCI 9f ScVuGaoZ0EVhx4 81I3N 
LGQplOJXmrOL5vNj / el/LSeCOHg+7ASyY/PaFr9Dk8nRqAhoWMM/PQElkvAxuXzE 
8hccf Zaal lHIMiPWfNzxf lRXIEzA2NcUirDHO63/XU3eOCis8hXZvwfuC+DWw0Am 
tGVpxhZVN2Knf zSvaBAVYMh/ lGsxdE Jj j dNhzSu3uRVmSizl tPyAbz5tEG4Gzbae 
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sJY/Fs8Tdmn+zRPE5nYQ/OtwRGWXzwXOeW+khafNE3iQlu6j xbST6f CVn2bxw+q/ 
bB/dEFUMxreYj A08 /Tu8 6R9ypa3a+uzrXULixglLnBcnoSvOU+co5HA6 JuRohc5v 
86ZPklQ9V4xvApY/+3Q+2mF9skJPsOVOHtYWtrylg9Puwl7TE56+kOEAOwU6FWd 
dTpGJRguh71FVmlQ12 18 7NEoyHquttlIHxRPEKRvNxgCzQI3GEOfmD9wcbyxdlnT 
X11U2 YgwwwHOgz JHBQPI f PhE9w JTedmldhW2 68kPFonclUY3dZTqOtiOLwtDf syx 
For zG9 JHhPmlUgLtuj siG5Cg8S183GSyJFqZs8VKxTyby7xa/rMk j tr/lpS + + 8Tz 
GZ4PimFJMObgcMsZq6DkOs5MmLSRCIlgd3clPSHjcfp+H4VuOOPIPL98YYPvcV9h 
0Io/zDb7MPj IT5gYPku8 6f 7/ INIimnVj 2R0a0iPYlbKX7ggZEfWDPw== 

END RSA PRIVATE KEY 

end-inline 

i 

inline keyring show default "end-inline" 

BEGIN RSA PRIVATE KEY 

Proc-Type: 4, ENCRYPTED 

DEK-Info: DES-EDE3-CBC, 2F6148C8A99AAAA 

21JjGKxpkcWBXj 42 4FhyQJPKRdgHUIxl2C6HKigth6hUgPqsS Jj 958FbzEx6ntsC 
H+jXj34Ni6U94/9ugYGEqWLCqed77Ml/WA4s6U5TCI9fScVuGaoZ0EVhx481I3G 
LGQplOJXmrOL5vNj / el/LSeCOHg+7ASyY/PaFr9Dk8nRqAhoWMM/PQElkvAxuXzW 
8hccf Zaal lHIMiPWfNzxf lRXIEzA2NcUirDHO63/XU3eOCis8hXZvwfuC+DWw0Am 
tGVpxhZVN2Knf zSvaBAVYMh/ lGsxdE Jj j dNhzSu3uRVmSizl tPyAbz5tEG4Gzbae 
sJY/Fs8Tdmn+zRPE5nYQ/OtwRGWXzwXOeW+khafNE3iQlu6j xbST6f CVn2bxw+q/ 
bB/dEFUMxreYj A08 /Tu8 6R9ypa3a+uzrXULixglLnBcnoSvOU+co5HA6 JuRohc5v 
86ZPklQ9V4xvApY/+3Q+2mF9skJPsOVOHtYWtrylg9Puwl7TE56+kOEAOwU6FWd 
dTpGJRguh71FVmlQ12 18 7NEoyHquttlIHxRPEKRvNxgCzQI3GEOfmD9wcbyxdlnT 
XI 1U2 YgwwwHOgz JHBQPI fPhE9wJTedmldhW2 6 8 kPFonclUY3dZTqOtiOLwtDf syx 
For zG 9 JHhPmlUgLtuj siG5Cg8S183GSyJFqZs8VKxTyby7xa/rMkj tr/lpS++8Tz 
GZ4PimF JMObgcMsZq6DkOs5MmLSRCIlgd3clPSH j cfp+H4VuOOPIPL98 YYPvcV9h 
0Io/zDb7MPj IT5gYPku8 6f 7/ INIimnVj 2R0a0iPYlbKX7ggZEfWDPw== 

END RSA PRIVATE KEY 

end-inline 

i 

inline certificate default "end-inline" 

BEGIN CERTIFICATE 

MIICUzCCAbygAwIBAglEFj nHtzANBgkqhkiG9wOBAQQFADBuMQswCQYDVQQGDAJB 
VTE TMBE GA 1 UECAwKU2 9tZSlTdGF0ZTE f MB 0 GA 1 UEC gwWQmx lZSBDb2F0I FNHMj Aw 
I FNlcml lc zETMBEGAl UECwwKM j EwNzA2Mz 1 10DEUMBI GA1 UEAwwLMTAuOS 4 1 OS 4 x 
NTwwHhcNMDcxMDIlMTkxNzExWhcNMTcxMDI lMTkxNzExWj BuMQswCQYDVQQGDAJB 
VTETMBEGAlUECAwKU2 9t ZS lTdGFOZTEfMBOGAlUECgwWQmxl ZSBDb2 FO IFNHMj Aw 
I FNlcmllc zETMBEGAl UEdwwKMj EwN zA2Mz 1 1 ODEUMBI GA1 UEAwwLMTAuOS 4 1 OS 4 x 
NTEwgZ8wDQY JKoZIhvcNAQEBBQADgYOAMIGJAoGBANF9BL25FO JuBIFVyv j o3ygu 
ExUMOGMj Flq2TRrSi55Ftt5d/KNbxzhhz3i/DLxlwhO IFWs j v9+bKphrY8H0Ik9N 
Q81ru5HlXDvUJ2AW6J82CewtQt/I74xHkBvFJa/leN3uZ+D+fiZTX015m9+NmZMb 
zzGGbCWJRzuqp9zlDVNbqgMBAAEwDQY JKoZIhvcNAQEEBQADgYEAwMUYIalKFf 1 0 
J+lS/oZ+9g9IVih+AEtk5nWLoDASXuIaYPG5Zxo5ddW6wT5qvny5muPslB7ugYA 
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wEP3Eli+mwF4 9Lv4NS JFEkBuF7 Sgll/R2Qj 36Yj pdkxu6TPXlBKmnEcpoX9QlXbp 
XerHBHpMPwzHdj 14ELqSgxFy 9aei7y8= 

END CERTIFICATE 

end-inline 

I 

! repeat this process for each keyring. Be sure to import the private 
key first, then the keyrings certificate 

i 

exit ; returns to config mode 

i 

Option 2: Changing Encrypted Passwords to Clear Text 



Important: Blue Coat strongly recommends recording your SSL keyring and 

key pair data because changing encrypted passwords to clear text is highly 
insecure. Use the following procedure at your own risk. 



You can edit the configuration to change encrypted passwords to clear text if you 
choose to keep the existing configuration-passwords-key keyring intact on the 
new appliance. You do not need to change hashed passwords to clear text — when 
you restore the archive, new hashed-passwords are automatically generated using 
the target ProxySG appliance's configuration-passwords-key keyring. 



Important: This procedure is not valid for signed archives. Signing guarantees 

that the archive has not been modified. 



To change encrypted passwords to clear text: 

Manually search for every instance of encrypted-password, remove the 
encrypted- prefix, and change the encrypted password to clear text. For example: 

security encrypted-password " $1 $rWzR$BT5c6F/RHLPK7uU9Lx2 7 J . " 

In the previous example, if the actual password is biuecoat, then you must edit 
the entry as follows: 

security password "biuecoat" 

Selecting an Upload Transport Method 

Archives can be uploaded using HTTPS, HTTP, FTP, or TFTP If you are concerned 
about security, use HTTPS. For example, you should use HTTPS if you consider 
the configuration to be confidential. 

If you use HTTPS, you must specify an SSL device profile to use for the SSL 
connection. An SSL device profile, which can be edited, contains the information 
required for device authentication, including the name of the keyring with the 
private key and certificate this device uses to authenticate itself. The default 
keyring is appliance -key. (For information on private keys, public keys, and SSL 
device profiles, refer to Volume 4: Securing the Blue Coat ProxySG Appliance.) 
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Section E: Creating Configuration Archives 

Archive configuration requires you to complete pre-configuration planning tasks. 
The following table provides a high-level description of the tasks required to 
create and restore a configuration archive. Review this table, then read the 
referenced sections for detailed information about each task. 



Table 9-3 Archive Creation and Restoration Tasks 



Task 


Go to... 


1. Select the archive type. 


"Selecting a Configuration Archive Type" on 
page 116 


2. Determine whether to use signed or 
unsigned archives. 

Use signed archives if security is a 
concern. 


"Using Signed and Unsigned Archives" on 
page 117 


3. Select a method for dealing with 
encrypted passwords. 

The recommended method is to 
record the SSL keyring and key pair 
data for later restoration. 


"Saving Encrypted Passwords" on page 118 


4. Create and save the archive. 


"Creating and Saving an Unsigned 
Configuration Archive" on page 125 

or 

"Creating and Saving a Signed 
Configuration Archive to Local Disk" on 
page 126 
or 

"Creating and Uploading an Archive to a 
Remote Server" on page 127 


5. Restore the archive. 


"Restoring an Archive" on page 131 



Creating and Saving an Unsigned Configuration Archive 

This section describes how to use the Management Console to create an unsigned 
archive of the system configuration. Before performing the following procedure, 
consider the planning options described in "Planning for Archive Creation and 
Restoration" on page 116. 

To create an unsigned configuration archive: 

1. Record the configuration-pas swords -key keyring of the ProxySG you want to 
back up, as described in "Option 1: Recording SSL Keyring and Key Pair 
Information" on page 118. 
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Important: If you do not record the SSL data, encrypted passwords will not 

be able to be decrypted when you restore the archive to another device (for 
example, a replacement appliance) and none of the SSL-related 
configuration that references those keyrings can be used. 



2. Access the Management Console of the ProxySG you want to back up: 

https : / / ProxySG_IP: 8082 

3. Select Configuration > General > Archive. The Archive Configuration tab displays. 




4. Select a configuration type: 

a. In the View Current Configuration section, select Configuration - expanded 

from the View File drop-down list. 

b. View the configuration you selected by clicking View. 

A browser window opens and displays the configuration. 



Note: You can also view the file by selecting Text Editor in the Install 

Configuration panel and clicking Install. 



5. Save the configuration. 

You can save the file two ways: 

• Use the browser Save As function to save the configuration as a text file on 
your local system. This is advised if you want to re-use the file. 

• Copy the contents of the configuration. (You will paste the file into the 
Text Editor on the newly-manufactured system.) 

Creating and Saving a Signed Configuration Archive to Local Disk 

This section describes how to use the Management Console to save a signed 
archive of the system configuration to the local disk of the device you are using to 
access the ProxySG. Before performing the following procedure, consider the 
planning options described in "Planning for Archive Creation and Restoration" on 
page 116. 
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To create and save a signed configuration archive to local disk: 

1. Record the configuration-pas swords -key keyring of the ProxySG you want to 
back up, as described in "Option 1: Recording SSL Keyring and Key Pair 
Information" on page 118. 



Important: If you do not record the SSL data, encrypted passwords will not 

be able to be decrypted when you restore the archive to another device (for 
example, a replacement appliance) and none of the SSL-related 
configuration that references those keyrings can be used. 



2. Access the Management Console of the ProxySG you want to back up: 

https : / / ProxySGIP : 8082 

3. Select the Configuration > General > Archive > Archive Storage tab. 



Archive Configuration 

Signing 



Archive Storage 



Sign archives with keyring: appliance-key 



Local Save 



■ Save archive: Configuration - expanded 



Save 



4. From the Sign archives with keyring drop-down list, select a signing keyring to 
use or accept the default (appliance-key). 



5. Click Apply. 



Note: If you do not click Apply, a pop-up displays when you click Save that 
indicates that all unsaved changes will be saved before storing the archive 
configuration. The unsaved changes are the Sign archives with keyring option 
changes you made in Step 4. 



6. From the Save archive drop-down list, select the archive type (Blue Coat 
recommends Configuration - expanded). 

7. Click Save. 

A new browser window displays, prompting you to open or save the 
configuration to the local disk of the device you are using to access the 
ProxySG. 



Creating and Uploading an Archive to a Remote Server 

Use the following procedure to create a signed or unsigned archive and upload it 
to a secure, remote host. 
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You can use HTTP, HTTPS, FTP, or TFTP to upload the archive. When using 
signed archives. Blue Coat recommends uploading the system configuration 
using HTTPS. 

Before performing the following procedure, consider the planning options 
described in "Planning for Archive Creation and Restoration" on page 116. 

To create and upload an archive to a remote server: 



Note: This procedure creates only configuration - expanded archives. You 
cannot choose another type. 



1. Obtain write permission to a directory on a secure, remote host. This is where 
the archive will be stored. 

2. Record the conf iguration-passwords-key keyring of the ProxySG you want to 
back up, as described in "Option 1: Recording SSL Keyring and Key Pair 
Information" on page 118. 

Important: If you do not record the SSL data, encrypted passwords will not 

be able to be decrypted when you restore the archive to another device (for 
example, a replacement appliance) and none of the SSL-related 
configuration that references those keyrings can be used. 



3. Access the Management Console of the ProxySG you want to back up: 

https : / / ProxySGIP : 8082 

4. Select Configuration > General > Archive. 

5. Select the Archive Storage tab. 
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7a- 

7b 

7c 

7d 

7e- 



Archive Configuration Archive Storage 

- Signing 



Sign archives with keyring: default 



r Local Save 



Save archive: Configuration - post setup 



Save 



r Remote Upload 



-o Protocol: 

Filename prefix: 
-o Host: 

-o Path: 
o* Username: 



%A%H 



HTTP v 



Upload 



280.8.8.8 



Port: 443 



/Web/Docs 



admin 



Change Password 



6. For signed archives, ensure that a keyring has been selected in the Sign archive 
with keyring option. 

7. In the Remote Upload section, configure the upload settings: 

a. From the Protocol drop-down list, select an upload protocol. 



Note: For maximum security. Blue Coat recommends using HTTPS. 



b. Optional: Add filename prefixes to identify the archive. 

The prefixes add unique, time-based variables to the filename. For 
example: 

%H%A 

In the preceding example, the %h%a prefix adds the hour (in 24-hour 
format) and the full weekday name. Various combinations can be used. 
See "Adding Identifier Information to Archive Filenames" on page 130 for 
a list of allowed substitution values. 

c. Optional, for HTTPS — Select an SSL device profile to use for the SSL 
connection. 

See "Selecting an Upload Transport Method" on page 124 for more 
information about device profiles. 

d. Enter the remote server host name or IP address and port number. 

e. Enter the remote server upload path (not required for TFTP). 

f. Enter the user name associated with the remote host (not required for 
TFTP). 

g. Optional — Change the HTTP, HTTPS, or FTP password. 
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8. Click Upload. 

Adding Identifier Information to Archive Filenames 

Use the following prefix substitutions to add unique ID information to archive 
filenames. Specify these prefixes when using the Remote Upload option. 

Table 9-4 Filename Specifiers 



Specifier 


Description 


o, o. 
o o 


Percent sign. 


%a 


Abbreviated weekday name. 


%A 


Full weekday name. 


%b 


Abbreviated month name. 


%B 


Full month name. 


%C 


The ProxySG name. 


%d 


Day of month as decimal number (01 - 3 1 ). 


%H 


Hour in 24-hour format (00 - 23). 


%i 


First IP address of the ProxySG, displayed in x x x x format, with leading 
zeros removed. 


%i 


Hour in 12-hour format (01 - 12). 


%j 


Day of year as decimal number (00 1 - 366). 


1 

-L 


The fourth part of the ProxySG IP address, using three digits 

(001.002.003.004) 


%m 


Month as decimal number (01 - 12). 


%M 


Minute as decimal number (00 - 59). 


%p 


Current locale's A.M./P.M. indicator for 12-hour clock. 


%S 


Second as decimal number (00 - 5 9). 


%U 


Week of year as decimal number, with Sunday as first day of week (00 - 
53). 


%W 


Weekday as decimal number (0 - 6; Sunday is 0). 


%w 


Week of year as decimal number, with Monday as first day of week (00 - 
53). 


%y 


Year without century, as decimal number (00 - 9 9). 


% Y 


Year with century, as decimal number. 


% z , % Z 


Time-zone name or abbreviation; no characters if time zone is unknown. 
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Section F: Restoring a Configuration Archive 

To restore a configuration archive, you must: 

□ Perform pre-restoration tasks, for example, restoring the SSL configuration. 

□ For signed archives — Select a CCL to use to verify the archive. 

□ Restore the archive. 

The following sections describe these tasks. 

Restoring an Archive 

To install the archived configuration: 

1. Download a content filter database, if you previously had one and it was lost. 

If you restore the archive and it includes content filtering policy, the database 
must exist so that categories referenced within policy can be matched with the 
currently installed database. 

2. Connect to the appliance Management Console of the target appliance, that is 
the ProxySG that you are installing the configuration onto. 

https : // ProxySG_IP: 8082 

3. Go to the Management Console Home page and view the Software version: 
information to verify that the appliance is running the same software version 
that was used to create the archive. For example: 

Software version: SGOS 5. 3. 0.2 Proxy Edition 

You can also verify the version from the appliance CLI: 

SGOS # enable 
SGOS # show version 

4. Restore the configuration-passwords-key data and any other SSL key data. 

Import the configuration-passwords-key keyring as described in "Importing 
an Existing Key Pair and Certificate" on page 134. 

5. Select Configuration > General > Archive. 
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6. Optional, for signed archives — In the Install Configuration panel, check the 
setting of the Enforce installation of signed archives option. If this option is 
selected, only signed archives can be restored. 

7. Optional, for signed archives — Select a CCL to use to verify the archive from 

the Verify signed archive with CCL drop-down list. If you used the appliance-key 
keyring, select appliance-ccl. 



Note: Depending on the CA that was used to sign the certificate used for the 
archive signature, you might have to import a CA certificate and create an 
appropriate CCL. Refer to Volume 4: Securing the Blue Coat ProxySG Appliance 
for information about completing these tasks. 



8. Install the configuration using one of the following methods: 

• Local File: If you saved the file to your system, select Local File and click 
Install. Browse to the location of the archive and click Open. The 
configuration is installed, and the results screen displays. 

• Text File: If you copied the contents of the file, select Text Editor and click 
Install. Copy the contents of the text file into the Edit and Install the 
Configuration dialog and click Install. The configuration is installed, and 
the results screen displays. 

• Remote Download: If you uploaded the archive to a remote URL, select 
Remote URL and click Install. Enter the full path to the archive into the 
Install Configuration dialog and click Install. The configuration is installed, 
and the results screen displays. 

The username and password used to connect to the server can be 
embedded into the URL. For FTP, the format of the URL is: 
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f tp : / /username : password0 ftp- server 

where ftp-server is either the IP address or the DNS-resolvable hostname 
of the FTP server. 

If you do not specify a username and password, the ProxySG assumes that 
an anonymous FTP is desired and thus sends the following as the 
credentials to connect to the FTP server: 

username: anonymous 
password: proxy® 



Note: A message is written to the event log when you install a 
configuration on the ProxySG. 



Using the CLI to Archive and Restore a System Configuration 

Use the following procedure to archive and restore a system configuration using 
the CLI. 

Related CLI Syntax for Archiving 

To configure the archiving signing options: 

At the config prompt, enter the following command: 

#(config) archive-configuration archive-signing { enf orce-signed 
(enable | disable} | signing-keyring keyring-name I verify-ccl ccl- 
name} 

To set the SSL device profile: 

At the config prompt, enter the following command: 

# (config) archive-configuration ssl-device-prof ile ssl-device-profile 
name 

To set upload options: 

At the config prompt, enter the following commands: 

# (config) archive-configuration encrypted-password encrypted_pas sword 
# (config) archive-configuration password password 
# (config) archive-configuration username username 
# (config) archive-configuration filename-prefix filename 
# (config) archive-configuration host hostname 
# (config) archive-configuration path path 



Note: To clear the host, password, or path, type the above commands using 
empty double-quotes instead of the variable. For example, to clear the path, 
enter archive-configuration path 



# (config) archive-configuration port port 

# (config) archive-configuration protocol {ftp | tftp | http | https} 
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To archive a system configuration: 

At the enable command prompt, enter the following command: 

SGOS# upload configuration 

To restore a system configuration: 

At the enable command prompt, enter the following command: 

SGOS# configure network "url" 

where url must be in quotes and is fully-qualified (including the protocol, 
server name or IP address, path, and filename of the configuration file). 
The configuration file is downloaded from the server, and the ProxySG 
settings are updated. 



Note: If you rename the archived configuration file so that it does not 
contain any spaces, the quotes surrounding the URL are unnecessary. 



Importing an Existing Key Pair and Certificate 

Use the following procedure to import the key pair and certificate data (if you 
saved it as described in "Option 1: Recording SSL Keyring and Key Pair 
Information" on page 118) onto the system you are restoring the archive to. 



Note: You can also import a certificate chain containing multiple certificates. 
Use the inline certificate command to import multiple certificates through 



the CLI. 



If you are importing a keyring and one or more certificates onto a ProxySG, first 
import the keyring, followed by its related certificate. The certificate contains the 
public key from the keyring, and the keyring and certificate are related. 

To Import a keyring: 

1. Copy the already-created keypair onto the clipboard. 

2. Select Configuration > SSL > Keyrings > SSL Keyrings. 

3. If the keyring already exists, select the keyring and click Delete and Apply. 

4. Click Create. The Create Keyring dialog displays. 
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5. Configure the keyring options: 

a. In the Keyring Name field, enter a meaningful name for the keyring. 

b. Select a show option: 

• Show keypair allows the keys to be exported. 

• Do not show keypair prevents the keypair from being exported. 

• Show keypair to director is a keyring viewable only if Director is issuing 
the command using a SSH-RSA connection. 



Note: The choice among show, do not show and show keypair to director has 

implications for whether keyrings are included in profiles and backups 
created by Director. For more information, refer to the Blue Coat Director 
Configuration and Management Guide. 



c. Select Import keyring. 

The grayed-out Keyring field becomes enabled, allowing you to paste in the 
already existing keypair. The certificate associated with this keypair must 
be imported separately. 

If the keypair that is being imported has been encrypted with a password, 
select Keyring Password and enter the password into the field. 

6. Click OK. 
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To import a certificate and associate it with a keyring: 

1. Copy the certificate onto the clipboard. 

2. Select Configuration > SSL > Keyrings and click Edit/View. 

3. From the drop-down list, select the keyring that you just imported. 

4. Click Import in the Certificate field. 

5. Paste the certificate into the Import Certificate dialog that appears. Be sure to 

include the begin certificate and end certificate 

statements. 

6. Click OK. 

Related CLI Syntax to Import a Keyring 

SGOS# (config ssl) inline {keyring show | show-director | no-show} 

keyring_id eof 
Paste keypair here 
eof 

Related CLI Syntax to Import a Certificate and Associate it with a Keyring 

SGOS# (config) ssl 

SGOS# (config ssl) inline certificate keyring_id eof 

Paste certificate here 

eof 
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Section G: Sharing Configurations 

You can share configurations between two ProxySGs. You can take a post-setup 
configuration file (one that does not include those configuration elements that are 
established in the setup console) from an already-configured ProxySG and push it 
to a newly-manufactured or restored system. 



Note: Blue Coat Director allows you to push a configuration from one 
ProxySG to multiple appliances at the same time. For more information on 
using Director, see Volume 9: Managing the Blue Coat ProxySG Appliance and 
the Blue Coat Director Configuration and Management Guide. 



If you push a configuration archive to an appliance that is already configured, the 
archive is applied to the existing configuration, changing any existing values. This 
means, for instance, that if the new configuration creates a realm called RealmA 
and the existing configuration has a realm called RealmB, the combined 
configuration includes two realms, RealmA and RealmB. 

Configuration Sharing Requirements 

To share configurations, you must download a content filter database, if the 
configuration includes content filtering. 

You can use either the Management Console or the CLI to create a post-setup 
configuration file on one ProxySG and push it to another. 



Note: You cannot push configuration settings to a newly-manufactured 
system until you have completed initial setup of the system. 



To create a configuration archive of the source device’s settings using the CLI: 

1. Use an SSH client to establish a CLI session with the already configured 
ProxySG. 

2. From the enable prompt (#), enter the following command: 

show configuration post-setup 

This displays the configuration on the current system, minus any 
configurations created through the setup console, such as the hostname and IP 
address. It also includes the installable lists. 

3. Save the configuration. You can save the file two ways: 

• Copy the contents of the configuration to the clipboard. 

• Save it as a text file on an FTP server accessible to the ProxySG. This is 
advised if you want to re-use the file. 

4. On the newly-manufactured ProxySG, retrieve the configuration file by doing 
one of the following: 
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• If you saved the configuration to the clipboard, go to the (config) prompt 
and paste the configuration into the terminal. 

• If you saved the configuration on a remote server: 

At the enable command prompt, enter the following command: 

SGOS# configure network "url" 

See "Restoring a Configuration Archive" on page 131 for more information 
about formatting the URL for FTR 
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Section H: Troubleshooting 

When pushing a shared configuration or restoring an archived configuration, 
keep in mind the following issues: 

□ If the content-filtering database has not yet been downloaded, any policy that 
references categories is not recognized. 

□ Unless you restore the SSL configuration-passwords-key keyring from the 
source device, archives can only be restored onto the same device that was the 
source of the archive. This is because the encrypted passwords in the 
configuration (login, enable, FTP, etc.) cannot be decrypted by a device other 
than that on which it was encrypted. 

□ Do not take an expanded archive from an operational ProxySG and install it 
onto another ProxySG. Expanded archives contain system-specific settings 
(for example, hostnames, IP addresses, and connection forwarding settings) 
that will cause conflicts. 

□ To use signed archives, your appliance must have an SSL certificate 
guaranteed by a CA. If your appliance has a built-in appliance certificate, you 
can use it and the corresponding appliance-cci CCL to sign the archive. 
Devices manufactured before July 2006 do not support appliance certificates. 
If your appliance does not have a built-in appliance certificate, you must do 
the following: 

• Create a keyring on the appliance. 

A keyring contains a public/ private key pair. It can also contain a 
certificate signing request or a signed certificate. 

• Create a Certificate Signing Requests (CSR) and send it to a Certificate 
Signing Authority (CA). 

• Have the CA sign the CSR. 

To determine if your appliance has a built-in certificate, see "Determining if 
the ProxySG Has an Appliance Certificate" on page 117. 

See Also 

For more information about appliance certificates, refer to the X.509 certificate 
information in Volume 4: Securing the Blue Coat ProxySG Appliance. 
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access control list — Allows or denies specific IP addresses access to a server. 

access log — A list of all the requests sent to a ProxySG. You can read an access 
log using any of the popular log-reporting programs. When a client uses HTTP 
streaming, the streaming entry goes to the same access log. 

account — A named entity that has purchased the ProxySG or the Entitlements 
from Blue Coat. 

activation code — A string of approximately 10 characters that is generated and 
mailed to customers when they purchase the ProxySG. 

active content stripping — Provides a way to identify potentially dangerous mobile 
or active content and scripts, and strip them out of a response. 

active content types — Used in the Visual Policy Manager. Referring to Web 
Access policies, you can create and name lists of active content types to be 
stripped from Web pages. You have the additional option of specifying a 
customized message to be displayed to the user 

administration access policy — A policy layer that determines who can access the 
ProxySG to perform administrative tasks. 

administration authentication policy — A policy layer that determines how 
administrators accessing the ProxySG must authenticate. 

AJAX — Acronym for Asynchronous JavaScript and XML, the technology used 
for live updating of Web objects without having to reload the entire page. 

Application Delivery Network (ADN) — A WAN that has been optimized for 
acceleration and compression by Blue Coat. This network can also be secured 
through the use of appliance certificates. An ADN network is composed of an 
ADN manager and backup ADN manager, ADN nodes, and a network 
configuration that matches the environment. 

ADN backup manager — Takes over for the ADN manager in the event it becomes 
unavailable. See ADN manager. 

ADN manager — Responsible for publishing the routing table to SG Clients (and 
to other ProxySG appliances). 

ADN optimize attribute — Controls whether to optimize bandwidth usage when 
connecting upstream using an ADN tunnel. 

A record — The central records of DNS, which link a domain or subdomain to an 
IP address. An A record can correspond to a single IP address or many IP 
addresses. 

asx rewrite — Allows you to rewrite URLs and then direct a client's subsequent 
request to the new URL. One of the main applications of ASX file rewrites is to 
provide explicit proxy-like support for Windows Media Player 6.4, which 
cannot set explicit proxy mode for protocols other than HTTP. 



141 



Volume I: Getting Started 



audit — A log that provides a record of who accessed what and how. 

authenticate-401 attribute — All transparent and explicit requests received on the port 
always use transparent authentication (cookie or IP, depending on the 
configuration). This is especially useful to force transparent proxy authentication 
in some proxy-chaining scenarios 

authenticated content — Cached content that requires authentication at the origin 
content server (OCS). Supported authentication types for cached data include 
basic authentication and IWA (or NTLM). 

authentication — Allows you to verify the identity of a user. In its simplest form, this 
is done through usernames and passwords. Much more stringent authentication 
can be employed using digital certificates that have been issued and verified by a 
Certificate Authority. See also basic authentication, proxy authentication, and SSL 
authentication. 

authentication realm — Authenticates and authorizes users to access SG services 
using either explicit proxy or transparent proxy mode. These realms integrate 
third-party vendors, such as LDAP, Windows, and Novell, with the Blue Coat 
operating system. 

authorization — The permissions given to an authenticated user. 



bandwidth — The amount of data you can send through a network or modem 
connection, usually measured in bits per second (bps). 

bandwidth class — A defined unit of bandwidth allocation. 

bandwidth class hierarchy — A gouping of bandwidth classes into a tree structure 
that specifies the relationship among different classes. You create a hierarchy by 
creating at least one parent class and assigning other classes as its children. 

bandwidth gain — Bandwidth gain is a calculation of the savings that occur when 
bandwidth is not consumed as a result of some form of optimization. 

For example, bandwidth gain for active sessions is calculated by subtracting the 
number of client bytes from the number of server bytes and dividing the result by 
the number of server bytes. 

(Client Bytes - Server Bytes) / Server Bytes 

bandwidth management — Classify, control, and, if needed, limit the amount of 
bandwidth used by network traffic flowing in or out of a ProxySG. 

basic authentication — The standard authentication for communicating with the 
target as identified in the URL. 

BCAAA — Blue Coat Authentication and Authorization Agent. Allows SGOS 5.x to 
manage authentication and authorization for IWA, CA eTrust SiteMinder realms, 
Oracle COREid, Novell, and Windows realms. The agent is installed and 
configured separately from SGOS 5.x and is available from the Blue Coat Web site. 

BCLP — Blue Coat Licensing Portal. 

byte-range support — The ability of the ProxySG to respond to byte-range requests 
(requests with a Range : HTTP header). 
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cache — An "object store," either hardware or software, that stores information 
(objects) for later retrieval. The first time the object is requested, it is stored, 
making subsequent requests for the same information much faster. 

A cache helps reduce the response time and network bandwidth consumption on 
future, equivalent requests. The ProxySG serves as a cache by storing content 
from many users to minimize response time and prevent extraneous network 
traffic. 

cache control — Allows you to configure which content the ProxySG stores. 

cache efficiency — A tab found on the Statistics pages of the Management Console 
that shows the percent of objects served from cache, the percent loaded from the 
network, and the percent that were non-cacheable. 

cache hit — Occurs when the ProxySG receives a request for an object and can serve 
the request from the cache without a trip to the origin server. 

cache miss — Occurs when the ProxySG receives a request for an object that is not 
in the cache. The ProxySG must then fetch the requested object from the origin 
server. 

cache object — Cache contents includes all objects currently stored by the ProxySG. 
Cache objects are not cleared when the ProxySG is powered off. 

Certificate Authority (CA) — A trusted, third-party organization or company that 
issues digital certificates used to create digital signatures and public key/ private 
key pairs. The role of the CA is to guarantee that the individuals or company 
representatives who are granted a unique certificate are who they claim to be. 

child class (bandwidth gain) — The child of a parent class is dependent on that parent 
class for available bandwidth (they share the bandwidth in proportion to their 
minimum/ maximum bandwidth values and priority levels). A child class with 
siblings (classes with the same parent class) shares bandwidth with those siblings 
in the same manner. 

cipher suite — Specifies the algorithms used to secure an SSL connection. When a 
client makes an SSL connection to a server, it sends a list of the cipher suites that it 
supports. 

client consent certificates — A certificate that indicates acceptance or denial of 
consent to decrypt an end user's HTTPS request. 

client-side transparency — A way of replacing the ProxySG IP address with the Web 
server IP address for all port 80 traffic destined to go to the client. This effectively 
conceals the ProxySG address from the client and conceals the identity of the 
client from the Web server. 

concentrator — A ProxySG, usually located in a data center, that provides access to 
data center resources, such as file servers. 

content filtering — A way of controlling which content is delivered to certain users. 
ProxySG appliances can filter content based on content categories (such as 
gambling, games, and so on), type (such as http, ftp, streaming, and mime type), 
identity (user, group, network), or network conditions. You can filter content 
using vendor-based filtering or by allowing or denying access to URLs. 
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default boot system — The system that was successfully started last time. If a system 
fails to boot, the next most recent system that booted successfully becomes the 
default boot system. 

default proxy listener — See proxy service (default). 

denial of service (DoS) — A method that hackers use to prevent or deny legitimate 
users access to a computer, such as a Web server. DoS attacks typically send many 
request packets to a targeted Internet server, flooding the server's resources and 
making the system unusable. Any system connected to the Internet and equipped 
with TCP-based network services is vulnerable to a DoS attack. 

The ProxySG resists DoS attacks launched by many common DoS tools. With a 
hardened TCP/IP stack, the ProxySG resists common network attacks, including 
traffic flooding. 

destination objects — Used in Visual Policy Manager. These are the objects that 
define the target location of an entry type. 

detect protocol attribute — Detects the protocol being used. Protocols that can be 
detected include: HTTP, P2P (eDonkey, BitTorrent, FastTrack, Gnutella), SSL, and 
Endpoint Mapper. 

diagnostic reporting — Found in the Statistics pane, the Diagnostics tab allows you to 
control whether Daily Heartbeats and/ or Blue Coat Monitoring are enabled or 
disabled. 

directives — Commands used in installable lists to configure forwarding and 
SOCKS gateway. 

DNS access — A policy layer that determines how the ProxySG processes DNS 
requests. 

domain name system (DNS) — An Internet service that translates domain names into 
IP addresses. 

dynamic bypass — Provides a maintenance-free method for improving performance 
of the ProxySG by automatically compiling a list of requested URLs that return 
various kinds of errors. 

dynamic real-time rating (DRTR) — Used in conjunction with the Blue Coat Web Filter 
(BCWF), DRTR (also known as dynamic categorization) provides real-time analysis 
and content categorization of requested Web pages to solve the problem of new 
and previously unknown uncategorized URLs — those not in the database. 

When a user requests a URL that has not already been categorized by the BCWF 
database (for example, a brand new Web site), the ProxySG dynamic 
categorization service analyzes elements of the requested content and assigns a 
category or categories. The dynamic service is consulted only when the installed 
BCWF database does not contain category information for an object. 



early intercept attribute — Controls whether the proxy responds to client TCP 
connection requests before connecting to the upstream server. When early 
intercept is disabled, the proxy delays responding to the client until after it has 
attempted to contact the server. 



144 



ELFF-compatible format — A log type defined by the W3C that is general enough to 
be used with any protocol. 

emulated certificates — Certificates that are presented to the user by the ProxySG 
when intercepting HTTPS requests. Blue Coat emulates the certificate from the 
server and signs it, copying the subjectName and expiration. The original 
certificate is used between the ProxySG and the server. 

encrypted log — A log is encrypted using an external certificate associated with a 
private key. Encrypted logs can only be decrypted by someone with access to the 
private key. The private key is not accessible to the ProxySG. 

EU LA — End user license agreement. 

event logging — Allows you to specify the types of system events logged, the size of 
the event log, and to configure Syslog monitoring. The ProxySG can also notify 
you by email if an event is logged. See also access logging. 

explicit proxy — A configuration in which the browser is explicitly configured to 
communicate with the proxy server for access to content. This is the default for 
the ProxySG and requires configuration for both the browser and the interface 
card. 

extended log file format (ELFF) — A variant of the common log file format, which has 
two additional fields at the end of the line — the referer and the user agent fields. 



fail open/closed — Failing open or closed applies to forwarding hosts and groups 
and SOCKS gateways. Fail open or closed applies when health checks are 
showing sick for each forwarding or SOCKS gateway target in the applicable fail- 
over sequence. If no systems are healthy, the ProxySG fails open or closed, 
depending on the configuration. If closed, the connection attempt simply fails. 

If open, an attempt is made to connect without using any forwarding target (or 
SOCKS gateway). Fail open is usually a security risk; fail closed is the default if no 
setting is specified. 

filtering — See content filtering. 

forward proxy — A proxy server deployed close to the clients and used to access 
many servers. A forward proxy can be explicit or transparent. 

FTP — See Native FTP and Web FTP. 



gateway — A device that serves as entrance and exit into a communications 
network. 



hardware serial number — A string that uniquely identifies the ProxySG; it is assigned 
to each unit in manufacturing. 

health check tests — The method of determining network connectivity, target 
responsiveness, and basic functionality. The following tests are supported: 
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• ICMP 

• TCP 

• SSL 

• HTTP 

• HTTPS 

• Group 

• Composite and reference to a composite result 

• ICAP 

• Websense 

• DRTR rating service 

health check type — The kind of device or service the specific health check tests. The 
following types are supported: 

• Forwarding host and forwarding group 

• SOCKS gateway and SOCKS gateway group 

• CAP service and ICAP service group 

• Websense off-box service and Websense off-box service group 

• DRTR rating service 

• User-defined host and a user-defined composite 

heartbeat — Messages sent once every 24 hours that contain the statistical and 
configuration data for the ProxySG, indicating its health. Heartbeats are 
commonly sent to system administrators and to Blue Coat. Heartbeats contain no 
private information, only aggregate statistics useful for pre-emptively diagnosing 
support issues. 

The ProxySG sends emergency heartbeats whenever it is rebooted. Emergency 
heartbeats contain core dump and restart flags in addition to daily heartbeat 
information. 

host affinity — The attempt to direct multiple connections by a single user to the 
same group member. Host affinity is closely tied to load balancing behavior; both 
should be configured if load balancing is important. 

host affinity timeout — The host affinity timeout determines how long a user remains 
idle before the connection is closed. The timeout value checks the user's IP 
address, SSL ID, or cookie in the host affinity table. 



inbound traffic (bandwidth gain) — Network packets flowing into the ProxySG. 
Inbound traffic mainly consists of the following: 

• Server inbound: Packets originating at the origin content server (OCS) and 
sent to the ProxySG to load a Web object. 
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• Client inbound: Packets originating at the client and sent to the ProxySG 
for Web requests. 

installable list — A list of configuration parameters that can be created using a text 
editor (either Blue Coat or another text editor) or through the CLI inline 
commands. The list can then be downloaded to the ProxySG from an HTTP server 
or locally from your PC. Configurations that can be created and installed this way 
include the SG Client, archiving, forwarding hosts, SOCKS gateways, ICP, policy 
files, and exceptions. 

integrated host timeout — An integrated host is an origin content server (OCS) that 
has been added to the health check list. The host, added through the 
integrate_new_hosts property, ages out of the integrated host table after 
being idle for the specified time. The default is 60 minutes. 

intervals — Time period from the completion of one health check to the start of the 
next health check. 

IP reflection — Determines how the client IP address is presented to the origin server 
for explicitly proxied requests. All proxy services contain a reflect-ip attribute, 
which enables or disables sending of client's IP address instead of the IP address 
of the ProxySG. 

issuer keyring — The keyring used by the ProxySG to sign emulated certificates. The 
keyring is configured on the appliance and managed through policy. 



licensable component (LC) — (Software) A subcomponent of a license; it is an option 
that enables or disables a specific feature. 

LCAMS — License Configuration and Management System. 

license — Provides both the right and the ability to use certain software functions 
within a Proxy AV (or ProxySG) appliance. The license key defines and controls 
the license, which is owned by an account. 

listener — The service that is listening on a specific port. A listener can be identified 
by any destination IP/subnet and port range. Multiple listeners can be added to 
each service. 

live content — Also called live broadcast. Used in streaming, it indicates that the 
content is being delivered fresh. 

LKF — License key file. 

load balancing — A way to share traffic requests among multiple upstream systems 
or multiple IP addresses on a single host. 

local bypass list — A list you create and maintain on your network. You can use a 
local bypass list alone or in conjunction with a central bypass list. 

local policy file — Written by enterprises (as opposed to the central policy file written 
by Blue Coat); used to create company- and department-specific advanced 
policies written in the Blue Coat Policy Language (CPL). 
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log facility — A separate log that contains a single logical file and supports a single 
log format. It also contains the file's configuration and upload schedule 
information as well as other configurable information such as how often to rotate 
(switch to a new log) the logs at the destination, any passwords needed, and the 
point at which the facility can be uploaded. 

log format — The type of log that is used: NCSA/ Common, SQUID, ELFF, 
SurfControl, or Websense. 

The proprietary log types each have a corresponding pre-defined log format that 
has been set up to produce exactly that type of log (these logs cannot be edited). In 
addition, a number of other EFFF type log formats are also pre-defined (im, main, 
p2p, ssl, streaming). These can be edited, but they start out with a useful set of log 
fields for logging particular protocols understood by the ProxySG. It is also 
possible to create new log formats of type EFFF or Custom which can contain any 
desired combination of log fields. 

log tail — The access log tail shows the log entries as they get logged. With high 
traffic on the ProxySG, not all access log entries are necessarily displayed. 
However, you can view all access log information after uploading the log. 



M 

MACH5 — SGOS 5 MACH5 Edition. 

Management Console — A graphical Web interface that lets you to manage, 
configure, monitor, and upgrade the ProxySG from any location. The 
Management Console consists of a set of Web pages and Java applets stored on 
the ProxySG. The appliance acts as a Web server on the management port to serve 
these pages and applets. 

management information base (MIB) — Defines the statistics that management systems 
can collect. A managed device (gateway) has one or more MIBs as well as one or 
more SNMP agents, which implements the information and management 
functionality defined by a specific MIB. 

maximum object size — The maximum object size stored in the ProxySG. All objects 
retrieved that are greater than the maximum size are delivered to the client but are 
not stored in the ProxySG. 

Media Access Control (MAC) address — A unique value associated with a network 
adapter; also known as hardware address or physical address. For the ProxySG, it 
is a hardware address that is stored in each network card (such as an SSF 
accelerator card or a Quad GigE Fiber EX card) on the ProxySG. The MAC 
address uniquely identifies an adapter on a FAN and is a 12-digit hexadecimal 
number (48 bits in length). 

MIME/FILE type filtering — Allows organizations to implement Internet policies for 
both uploaded and downloaded content by MIME or FIFE type. 

multi-bit rate — The capability of a single stream to deliver multiple bit rates to 
clients requesting content from ProxySG appliances from within varying levels of 
network conditions (such as different connecting band widths and traffic). 

multicast — Used in streaming; the ability for hundreds or thousands of users to 
play a single stream. 
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multicast aliases — Used in streaming; a streaming command that specifies an alias 
for a multicast URL to receive an .nsc file. The .nsc files allows the multicast 
session to obtain the information in the control channel 

multicast station — Used in streaming; a defined location on the proxy where the 
Windows Media player can retrieve streams. A multicast station enables multicast 
transmission of Windows Media content from the cache. The source of the 
multicast-delivered content can be a unicast-live source, a multicast (live) source, 
and simulated live (video-on-demand content converted to scheduled live 
content). 

multimedia content services — Used in streaming; multimedia support includes Real 
Networks, Microsoft Windows Media, Apple QuickTime, MP3, and Flash. 



name inputing — Allows a ProxySG to resolve host names based on a partial name 
specification. When a host name is submitted to the DNS server, the DNS server 
resolves the name to an IP address. If the host name cannot be resolved. Blue Coat 
adds the first entry in the name-inputing list to the end of the host name and 
resubmits it to the DNS server 

native FTP — Native FTP involves the client connecting (either explicitly or 
transparently) using the FTP protocol; the ProxySG then connects upstream 
through FTP (if necessary). 

NCSA common log format — Blue Coat products are compatible with this log type, 
which contains only basic HTTP access information. 

network address translation (NAT) — The process of translating private network (such 
as intranet) IP addresses to Internet IP addresses and vice versa. This 
methodology makes it possible to match private IP addresses to Internet IP 
addresses even when the number of private addresses outnumbers the pool of 
available Internet addresses. 

non-cacheable objects — A number of objects are not cached by the ProxySG because 
they are considered non-cacheable. You can add or delete the kinds of objects that 
the appliance considers non-cacheable. Some of the non-cacheable request types 
are: 

• Pragma no-cache, requests that specify non-cached objects, such as when 
you click refresh in the Web browser. 

• Password provided, requests that include a client password. 

• Data in request that include additional client data. 

• Not a GET request. 

.nsc file — Created from the multicast station definition and saved through the 
browser as a text file encoded in a Microsoft proprietary format. Without an .nsc 
file, the multicast station definition does not work. 
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NTP — To manage objects in an appliance, a ProxySG must know the current 
Universal Time Coordinates (UTC) time. By default, the ProxySG attempts to 
connect to a Network Time Protocol (NTP) server to acquire the UTC time. The 
ProxySG includes a list of NTP servers available on the Internet, and attempts to 
connect to them in the order they appear in the NTP server list on the NTP tab. 



object (used in caching) — An object is the item that is stored in an appliance. These 
objects can be frequently accessed content, content that has been placed there by 
content publishers, or Web pages, among other things. 

object (used in Visual Policy Manager) — An object (sometimes referred to as a 
condition) is any collection or combination of entry types you can create 
individually (user, group, IP address/ subnet, and attribute). To be included in an 
object, an item must already be created as an individual entry. 

object pipelining — This patented algorithm opens as many simultaneous TCP 
connections as the origin server will allow and retrieves objects in parallel. The 
objects are then delivered from the appliance straight to the user's desktop as fast 
as the browser can request them. 

Online Certificate Status Protocol (OCSP) — An Internet protocol used for obtaining the 
revocation status of an X.509 digital certificate. OCSP was created as an 
alternative to certificate revocation lists (CRL), specifically addressing certain 
problems associated with using CRLs in a public key infrastructure (PKI). OCSP 
servers are called OCSP responders due to the request/ response nature of these 
messages. 

origin content server (OCS) — Also called origin server. This is the original source of 
the content that is being requested. An appliance needs the OCS to acquire data 
the first time, to check that the content being served is still fresh, and to 
authenticate users. 

outbound traffic (bandwidth gain) — Network packets flowing out of the ProxySG. 
Outbound traffic mainly consists of the following: 

• Client outbound: Packets sent to the client in response to a Web request. 

• Server outbound: Packets sent to an OCS or upstream proxy to request a 
service. 



PAC (Proxy AutoConfiguration) scripts — Originally created by Netscape, PACs are a 
way to avoid requiring proxy hosts and port numbers to be entered for every 
protocol. You need only enter the URL. A PAC can be created with the needed 
information and the local browser can be directed to the PAC for information 
about proxy hosts and port numbers. 

packet capture (PCAP) — Allows filtering on various attributes of the Ethernet frame 
to limit the amount of data collected. You can capture packets of Ethernet frames 
going into or leaving a ProxySG. 
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parent class (bandwidth gain) — A class with at least one child. The parent class must 
share its bandwidth with its child classes in proportion to the minimum/ 
maximum bandwidth values or priority levels. 

passive mode data connections (PASV) — Data connections initiated by an FTP client to 
an FTP server. 

pipelining — See object pipelining. 

policies — Groups of rules that let you manage Web access specific to the needs of 
an enterprise. Policies enhance ProxySG feature areas such as authentication and 
virus scanning, and let you control end-user Web access in your existing 
infrastructure. 

policy-based bypass list — Used in policy. Allows a bypass based on the properties of 
the client, unlike static and dynamic bypass lists, which allow traffic to bypass the 
appliance based on destination IP address. See also dynamic bypass. 

policy layer — A collection of rules created using Blue Coat CPL or with the VPM. 

pragma: no cache (PNC) — A metatag in the header of a request that requires the 
appliance to forward a request to the origin server. This allows clients to always 
obtain a fresh copy. 

proxy — Caches content, filters traffic, monitors Internet and intranet resource 
usage, blocks specific Internet and intranet resources for individuals or groups, 
and enhances the quality of Internet or intranet user experiences. 

A proxy can also serve as an intermediary between a Web client and a Web server 
and can require authentication to allow identity-based policy and logging for the 
client. 

The rules used to authenticate a client are based on the policies you create on the 
ProxySG, which can reference an existing security infrastructure — LDAP, 
RADIUS, IWA, and the like. 

Proxy Edition — SGOS 5 Proxy Edition. 

proxy service — The proxy service defines the ports, as well as other attributes, that 
are used by the proxies associated with the service. 

proxy service (default) — The default proxy service is a service that intercepts all 
traffic not otherwise intercepted by other listeners. It only has one listener whose 
action can be set to bypass or intercept. No new listeners can be added to the 
default proxy service, and the default listener and service cannot be deleted. 
Service attributes can be changed. 

ProxySG — A Blue Coat security and cache box that can help manage security and 
content on a network. 

public key certificate — An electronic document that encapsulates the public key of 
the certificate sender, identifies this sender, and aids the certificate receiver to 
verify the identity of the certificate sender. A certificate is often considered valid if 
it has been digitally signed by a well-known entity, which is called a Certificate 
Authority (such as VeriSign). 

public virtual IP (VIP) — Maps multiple servers to one IP address and then propagates 
that information to the public DNS servers. Typically, there is a public VIP known 
to the public Internet that routes the packets internally to the private VIP. This 
enables you to "hide" your servers from the Internet. 
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real-time streaming protocol (RTSP) — A standard method of transferring audio and 
video and other time-based media over Internet-technology based networks. The 
protocol is used to stream clips to any RTP-based client. 

reflect client IP attribute — Enables the sending of the client's IP address instead of the 
SG's IP address to the upstream server. If you are using an application delivery 
network (ADN), this setting is enforced on the concentrator proxy through the 

Configuration > App. Delivery Network > Tunneling tab. 

registration — An event that binds the appliance to an account, that is, it creates the 
Serial#, Account association. 

remote authentication dial-in user service (RADIUS) — Authenticates user identity via 
passwords for network access. 

Return to Sender (RTS) — A way of allowing outgoing TCP packets to use the same 
network interface on which the corresponding incoming TCP packets arrived. 
The destination Media Acess Control (MAC) address for the outgoing packets is 
the same as the source MAC address of the incoming packets. See also Media 
Access Control (MAC) address. 

reverse proxy — A proxy that acts as a front end to a small number of predefined 
servers, typically to improve performance. Many clients can use it to access the 
small number of predefined servers. 

routing information protocol (RIP) — Designed to select the fastest route to a 
destination. RIP support is built into ProxySG appliances. 

router hops — The number of jumps a packet takes when traversing the Internet. 
RTS — See Return to Sender. 



secure shell (SSH) — Also known as Secure Socket Shell. SSH is an interface and 
protocol that provides strong authentication and enables you to securely access a 
remote computer. Three utilities — login, ssh, and scp — comprise SSH. Security via 
SSH is accomplished using a digital certificate and password encryption. 
Remember that the Blue Coat ProxySG requires SSH1. A ProxySG supports a 
combined maximum of 16 Telnet and SSH sessions. 

serial console — A third-party device that can be connected to one or more Blue 
Coat appliances. Once connected, you can access and configure the appliance 
through the serial console, even when you cannot access the appliance directly. 

server certificate categories — The hostname in a server certificate can be categorized 
by BCWF or another content filtering vendor to fit into categories such as 
banking, finance, sports. 

server portals — Doorways that provide controlled access to a Web server or a 
collection of Web servers. You can configure Blue Coat appliances to be server 
portals by mapping a set of external URLs onto a set of internal URLs. 



152 



server-side transparency — The ability for the server to see client IP addresses, which 
enables accurate client-access records to be kept. When server-side transparency 
is enabled, the appliance retains client IP addresses for all port 80 traffic to and 
from the ProxySG. In this scheme, the client IP address is always revealed to the 
server. 

service attributes — Define the parameters, such as explicit or transparent, cipher 
suite, and certificate verification, that the ProxySG uses for a particular service. 

sibling class (bandwidth gain) — A bandwidth class with the same parent class as 
another class. 

signed system image — Cryptographically signed with a key known only to Blue 
Coat, and the signature is verified when the image is downloaded to the system. 

simple network management protocol (SNMP) — The standard operations and 
maintenance protocol for the Internet. It consists of a set of standards for network 
management, including an application layer protocol, a database schema, and a 
set of data objects. In SNMP, the available information is defined by management 
information bases (MIBs), which describe the structure of the management data. 

simulated live — Used in streaming. Defines playback of one or more video-on- 
demand files as a scheduled live event, which begins at a specified time. The 
content can be looped multiple times, or scheduled to start at multiple start times 
throughout the day. 

SmartReporter log type — A proprietary ELFF log type that is compatible with the 
SmartFilter SmartReporter tool. 

SOCKS — A proxy protocol for TCP/IP-based networking applications that allows 
users transparent access across the firewall. If you are using a SOCKS server for 
the primary or alternate forwarding gateway, you must specify the appliance's ID 
for the identification protocol used by the SOCKS gateway. The machine ID 
should be configured to be the same as the appliance's name. 

SOCKS proxy — A generic way to proxy TCP and UDP protocols. The ProxySG 
supports both SOCKSv4/ 4a and SOCKSv5; however, because of increased 
username and password authentication capabilities and compression support. 
Blue Coat recommends that you use SOCKS v5. 

splash page — The custom message page that displays the first time you start the 
client browser. 

split proxy — Employs co-operative processing at the branch and the core to 
implement functionality that is not possible in a standalone proxy. Examples of 
split proxies include: 

• Mapi Proxy 

• SSE Proxy 

SQUID-compatible format — A log type that was designed for cache statistics and is 
compatible with Blue Coat products. 

squid-native log format — The Squid-compatible format contains one line for each 
request. 

SSL authentication — Ensures that communication is with "trusted" sites only. 
Requires a certificate issued by a trusted third party (Certificate Authority). 
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SSL client — See SSL device profile. 

SSL device profile — Used to determine various SSL parameters for outgoing HTTPS 
connections. Specifically, its role is to: 

• Identify the SSL protocol version that the ProxySG uses in negotiations 
with origin servers. 

• Identify the cipher suites used. 

• Determine which certificate can be presented to origin servers by 
associating a keyring with the profile. 

SSL interception — Decrypting SSL connections. 

SSL proxy — A proxy that can be used for any SSL traffic (HTTPS or not), in either 
forward or reverse proxy mode. 

static route — A manually-configured route that specifies the transmission path a 
packet must follow, based on the packet's destination address. A static route 
specifies a transmission path to another network. 

statistics — Every Blue Coat appliance keeps statistics of the appliance hardware 
and the objects it stores. You can review the general summary, the volume, 
resources allocated, cache efficiency, cached contents, and custom URLs generated 
by the appliance for various kinds of logs. You can also check the event viewer for 
every event that occurred since the appliance booted. 

stream — A flow of a single type of data, measured in kilobits per second (Kbps). A 
stream could be the sound track to a music video, for example. 

SurfControl log type — A proprietary log type that is compatible with the SurfControl 
reporter tool. The SurfControl log format includes fully-qualified usernames 
when an NTLM realm provides authentication. The simple name is used for all 
other realm types. 

syslog — An event-monitoring scheme that is especially popular in Unix 
environments. Most clients using Syslog have multiple devices sending messages 
to a single Syslog daemon. This allows viewing a single chronological event log of 
all of the devices assigned to the Syslog daemon. The Syslog format is: "Date Time 
Hostname Event." 

system cache — The software cache on the appliance. When you clear the cache, all 
objects in the cache are set to expired. The objects are not immediately removed 
from memory or disk, but a subsequent request for any object requested is 
retrieved from the origin content server before it is served. 



TCP window size — The number of bytes that can be buffered before the sending host 
must wait for an acknowledgement from the receiving host. 

time-to-live (TTL) value — Used in any situation where an expiration time is needed. 
For example, you do not want authentication to last beyond the current session 
and also want a failed command to time out instead of hanging the box forever. 

traffic flow (bandwidth gain) — Also referred to as flow. A set of packets belonging to 
the same TCP/UDP connection that terminate at, originate at, or flow through the 
ProxySG. A single request from a client involves two separate connections. One of 
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them is from the client to the ProxySG, and the other is from the ProxySG to the 
OCS. Within each of these connections, traffic flows in two directions — in one 
direction, packets flow out of the ProxySG (outbound traffic), and in the other 
direction, packets flow into the ProxySG (inbound traffic). Connections can come 
from the client or the server. Thus, traffic can be classified into one of four types: 

• Server inbound 

• Server outbound 

• Client inbound 

• Client outbound 

These four traffic flows represent each of the four combinations described above. 
Each flow represents a single direction from a single connection. 

transmission control protocol (TCP) — TCP, when used in conjunction with IP (Internet 
Protocol) enables users to send data, in the form of message units called packets, 
between computers over the Internet. TCP is responsible for tracking and 
handling, and reassembly of the packets; IP is responsible for packet delivery. 

transparent proxy — A configuration in which traffic is redirected to the ProxySG 
without the knowledge of the client browser. No configuration is required on the 
browser, but network configuration, such as an L4 switch or a WCCP-compliant 
router, is required. 

trial period — Starting with the first boot, the trial period provides 60 days of free 
operation. All features are enabled during this time. 



unicast alias — Defines an name on the appliance for a streaming URL. When a 
client requests the alias content on the appliance, the appliance uses the URL 
specified in the unicast-alias command to request the content from the origin 
streaming server. 

universal time coordinates (UTC) — A ProxySG must know the current UTC time. By 
default, the appliance attempts to connect to a Network Time Protocol (NTP) 
server to acquire the UTC time. If the ProxySG cannot access any NTP servers, 
you must manually set the UTC time. 

URL filtering — See content filtering. 

URL rewrite rules — Rewrite the URLs of client requests to acquire the streaming 
content using the new URL. Lor example, when a client tries to access content on 
www.mycompany.com, the ProxySG is actually receiving the content from the 
server on 10.253.123.123. The client is unaware that mycompany.com is not 
serving the content; however, the ProxySG access logs indicate the actual server 
that provides the content. 



WCCP — Web Cache Communication Protocol. Allows you to establish redirection 
of the traffic that flows through routers. 
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Web FTP — Web FTP is used when a client connects in explicit mode using HTTP 
and accesses an ftp:/ / URL. The ProxySG translates the HTTP request into an 
FTP request for the OCS (if the content is not already cached), and then translates 
the FTP response with the file contents into an HTTP response for the client. 

Websense log type — A Blue Coat proprietary log type that is compatible with the 
Websense reporter tool. 



XML responder — HTTP XML service that runs on an external server. 

XML requestor — XML realm. 
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